Can internal auditors really give adequate assurance on corporate governance without auditing corporate culture?



Internal auditing is an evolving discipline, not least due to changing business environments and stakeholder priorities. In 2014, auditing culture has emerged as a new area of focus – a response to growing awareness that hard controls aren’t the only ones that matter. Soft controls that stem from a company’s culture are also vital for good governance.

Corporate culture is not only about the values an organisation espouses, but also how the organisation lives them. The desired values need to be communicated, embedded and monitored. The extent to which these values are being applied is a legitimate subject for internal audit reporting, although there are challenges in applying this philosophy.

Guidance recently issued on the subject by the Chartered Institute of Internal Auditors in the UK and Ireland, recognises that ‘auditing indicators of culture is complex…internal auditors need to be comfortable in their understanding of culture and risk culture’.

Chief Audit Executives should ask themselves: can we really offer adequate assurance on the effectiveness of our organisation’s governance, risk and controls if we haven’t given any consideration to the culture and risk culture of our organisation?

If there is any doubt about the importance of assessing the application of stated values, consider Enron and its stated values of community, respect, integrity and excellence. But where is it now? Examples from elsewhere around the world (Lehman Brothers, AIG, and Nortel) also indicate there is a powerful link between poor culture and performance, and ultimately corporate failure.

Cultural indicators are not always easy to recognise and rely on interpretation. In the case of Lehman Brothers, for example, their risk appetite could be interpreted as being high, and they seemingly ignored the signs that suggested that the subprime market was experiencing a high number of defaults. Executives were still paid highly despite company underperformance. Decisions were taken to hide some of the company’s liabilities resulting in a misstatement in the balance sheet. The company’s culture was tied to risk taking behaviours and a poor control environment.

On the other hand, good culture does seem to support good performance. The success of global brands such as Apple and Google could be attributed in part to their powerful cultures that bind people together and set the tone for high performance.

Internal auditors are primed to understand their organisation’s control environment, in line with COSO 2013. However, that control environment needs to be considered in the context of both hard and soft controls. The challenge for internal auditors is that assessing the effectiveness of soft controls is very different to assessing the effectiveness of hard controls.

A useful starting point is to consider what we mean by soft controls. They include:
• Commitment to ethics and integrity;
• Attitudes to risk taking;
• Board oversight of performance and internal control;
• Accountabilities, responsibilities and structures;
• Reporting lines; and
• Recruitment practices – a commitment to attract the right people in line with the organisation’s objectives and values.

Recommendations for auditing culture
• Consider what kind of culture the organisation champions, and how this is measured across operations. For example, does your company have stated values and what type of indicators exist for measuring that employees are living the values? Does your organisation use staff surveys to under stand employee attitude and behaviours? Does your senior management team listen to employees and take action when necessary? Do they operate an open or closed door environment?
• Ensure corporate culture is considered within your organisation’s risk management framework. Who owns it? For example, what does your risk management policy say about risk culture? What kind of risk culture does the company promote and how does it compare to reality? Does the company’s risk taking activities match its risk appetite and stated policies?
• When it comes to developing the internal audit strategy and annual plans, agree with your board and executive team what culture means to the organisation and a form of reporting on softer issues to maintain confidentiality and sensitivity. Ensure your audit and risk universe incorporates culture as a viable audit entity or as a theme which cuts across all audits. Ensure internal audit plans are designed to seek evidence of softer controls such as leadership, ethics and values. This will require judgement based on sound knowledge. The Chartered Institute of Internal Auditors talks about using ‘gut instinct’ when forming a view.
• The COSO framework provides a good basis for evaluating a company’s control environment, and ascer taining what kind of control culture exists. For example, are decisions decentralised or centralised? What tone is set by the Board? Is there a good relationship between the Board and the Executive? What kind of reward and retention packages does the company offer, and is it linked to performance?
• Remember that hard control issues are indicators of soft control weaknesses. For example, consider the frequency with which controls are overridden, as this could be an indicator of managers who are interested in outputs at any cost. Also, consider the effectiveness of communications, what is the company telling employees? Is information transparent or secret? Are auditors evaluating final reports for evidence or indication of culture related issues?
• Consider the broader messages and not just the symptomsderived from individual audits. If material weaknesses have been identified, root cause analysis (e.g. asking the question ‘why?’ 5 times) will help identify the reasons why an issue has occurred, and whether there is an underlying problem that is linked to corporate culture and values.
• Comment on corporate culture (informed by your consideration of soft controls) in your annual assurance to the business. This could be through a reflection of whether audit confirms or validates that corporate values are lived. This could be a result of an evaluation of all final audit reports issued during the year. Consider the processes management has in place for engaging with staff, and ensure these processes are two-way/ reciprocal.
• Support your experienced auditors and encourage them to ask questions that address cultural issues and soft controls.
• Ensure your internal audit team has the necessary training and interpersonal skills to pick up on and understand indicators of cultural issues. Ask yourself who is the most appropriate individual to conduct a review of culture.
• Always audit with your head up – be aware of what is going on around you.

Traditionally internal auditors are wary of providing subjective judgement, we are hardwired to believe that professional judgement should underpin opinions. Auditing soft controls and organisational culture requires a certain attitude of mind and awareness. It requires an understanding of the iceberg effect: what is hidden from view may be of greater potential impact than what is visible. It also needs the capacity to put individual audit pieces together to form the bigger picture: local reports and recommendations need to be considered from an organisation-wide perspective to see if any patterns emerge. Many internal auditors are exploring ways in which to encompass culture within their opinions.

This sounds challenging – and it is. Auditing culture is not necessarily about people, but about behaviours, attitudes and, fundamentally, values. Nevertheless, it is a challenge that internal auditors need to accept if they are to provide the more rounded assurance on governance, risk and controls that their stakeholders require of them. Corporate culture is an emerging agenda item, being pushed by regulators and stakeholders. It can no longer be ignored. It is a key part of every company’s second line of defence.

ROBERT NOYE-ALLEN is a Partner in Moore Stephens LLP
KAMI NUTTALL is the Head of the Centre of Excellence in the Governance, Risk & Assurance Group of Moore Stephens LLP