Chair opening comments | Derek Jamieson | Regional Director, Chartered IIA UK and Ireland It’s been 10 years since the first Internal Audit Code of Practice was published, initially for financial services and subsequently for other sectors, requiring internal auditors to audit risk and control culture. Since then, there have been numerous scandals across all sectors. The environmental changes in the last few years alone - economy, covid, hybrid working - all impact on people and ultimately, behaviour and culture. Today’s forum is a panel session designed to provoke and inspire on the topic of auditing culture: |
Results of poll questions
Are you providing meaningful culture assurance?
Yes 37%
No 63%
Should culture be in scope for internal audit?
Yes 97%
No 3%
Key Takeaways
1. Why should we audit culture? What’s the point?
SB
NC
ED
2. With all the changes taking place in the last few years (e.g. hybrid, flexible or condensed hours working) culture is probably better anyway, so what’s the issue?
NC
ED
SB
3. Even if it is a requirement, how can we (internal auditors) be expected to audit culture?
ED
SB
NC
View from the Institute As internal auditors we need to get better at this. Chief audit executives should be using their closed meetings with the audit committee wisely to raise concerns about toxic individuals. And perhaps we should be talking less about culture and more about behavioural risk. |
Chair closing comments We will come back to this topic. Today is a beginning. We all need to step up and support each other to be more comfortable with providing assurance on this subject. Our next meeting on 10th May will focus on Strategic Change. What are HIAs doing to understand strategy and strategic change within their organisation, particularly in relation to the change in culture which could result. How are we auditing change and its links to strategy. |
Chat comments including Q&A
Comment | Isn't there a real difficulty that culture usually starts from the top, so auditing culture is really like auditing the C-suite behaviours?
NC | Culturally toxic people can be at any level, there can be pockets of behavioural risk where there’s a good board , and also where there’s an issue with a board member. Need to look at the pockets.
ED | What is the relationship with the audit committee chair. Key to landing difficult messages. Internal audit needs an advocate at audit committee to spark debate and have a safe conversation.
SB | The clock is ticking internal audit cannot wait for the audit committee to be ready to sponsor a culture audit. Chief audit executives need to introduce it via the back door, call it something different - put it in a different wrapper to make it work - criticising people at the top needs an act of courage.
Comment | How do you assist an organisation who you know has cultural issue when you are aware that the cause is right at the top or within the senior management; but this is not accepted by these individuals?
SB | When delivering difficult message to powerful people, read the room, think carefully about language, be political, use allies to influence.
NC | Like all other audits, you need concrete evidence to support opinion. Difficult conversations are part of auditing.
Comment | Challenging at the top is difficult but important and can be more positive than you expect; a Director of Governance who was causing harm to an organisation I worked in was moved out of the role on the back of the conversation I had with the Audit Committee (with no officials present) and then a discussion with the CEO about my assurance opinion.
Comment | We did a first attempt at auditing culture - it was difficult to scope and we looked at the controls in place within the organisation that are there to influence culture and we had a number of interviews with management to develop some insights and observations. It wasn't easy - I think the benefit for me was putting it on the board and ARAC radar and reminding them of the importance of culture and their role in influencing it.
Comment | Our first attempt at a standalone culture audit was challenging to scope. We ended up using a hybrid of McKinseys 7s and the Lloyd's culture tool kit alongside the firm's values to build a scope. It has been more challenging to build into individual audits which is the stage we are at.
Comment | Root cause is fundamental surely?!
Comment | All colleagues have access "on the whole" to manage procedures, pay slips and internal comms via their own device. There is also no direct link from remuneration to results. However, I am sure that it is one measure of performance and therefore the key thing to look out for is return rate, as certain colleagues may get "missed".
Comment | Working across government, I sense an increasing interest in and demand for internal audit work in the areas of organisational design and culture, but this demand is primarily for advisory input / sharing of insights as to what other government departments are doing rather than audit opinions.
Comment | I think one has to be mindful about sensitively reporting "culture issues" that are deeply embedded or inherent within an organisation - outlining the benefits and dis-benefits and root causes of the issues - and how the benefits can be grown. For example a culture clash between two groups within an organisation.
Comment | If we talk about behaviour, there is a link in the draft Global Internal Audit Standards)
Comment | There has been such focus on culture post-COIVD, are we finding that people are starting to suffer from culture focus fatigue?
Comment | Commenting on controls is less emotive than commenting on a person / groups behaviours.
Comment | Although you can review whether certain mechanisms and frameworks exist in a business to set and monitor an appropriate culture, getting to the truth can be really challenging.
Comment | Is there a risk that we might marginalise those who can easily come into the office 1 or 2 days per week versus those who have changed their working practices perhaps moved further away from the office and what might the impact of this be on the organisation?
Response | Is there not also a risk that in doing so, these people have marginalised themselves from being part of / or shaping the culture?
Response | I think it is hard for new starters, but I am not sure this has changed much. "Head Offices" and their geographical locations have always been more accessible for some over others.
Comment | Hybrid is a challenge for organisations that are reliant on physical and less formal control environments, increased risk of reduced supervision etc
SB | easier to defraud when not personalised, possibly increased in the world of virtual working
NC |possible that some people are still doing 2nd jobs while working remotely, might still be working hard but are they giving you contractual hours
ED | takeaway from this session shouldn’t be a war on working from home, it just introduces new risks and we need to be aware of that
Comment | Another question is whether management information has kept pace with working practices - has it changed to be more outcome focused that input focused?
Comment | I don't think fraud risks have materially increased or decreased because of the post COVID ways of working, I think the risks have changed. And companies need to re-perform fraud risk assessments and adapt controls - and not rely on pre-COVID fraud risk assessments.
Comment | My argument would not be against hybrid working (works for me!) but that robust controls, second and third lines are even more important post pandemic
Comment | Also, when decisions relating to overriding of controls, obtaining approval and ratification on overriding's may end up in mere words that may be denied at a later date.
Comment | Remote work would reduce productivity to an extent where it reduced the focus and attention towards what you do - the workers could end up doing work being on vacation mode, like work from a holiday home extending his weekend to Monday & Tuesday as well.