I have been spending a great deal of time lately focusing on corporate culture. The number of high-profile corporate scandals in the past year made very clear for me just how much a toxic culture can undermine good governance, and ultimately destroy shareholder value. This makes it imperative for our profession to “follow the risks” and address culture when carrying out our responsibilities.
I believe many of my colleagues agree that the time has come to assess culture, based on the positive response to my keynote address, When Culture is the Culprit, delivered at last week’s IIA GAM conference. This is especially gratifying considering that auditing culture will place a burden on most practitioners to operate outside of their comfort zones.
One observation that I shared during my GAM presentation deserves additional examination. It has become quite clear to me that the relationship between management and internal audit can be a barometer of an organization’s culture.
Let’s examine what most would consider healthy and poor relationships between management and internal audit and what it says about the organizations in which they coexist.
Ideally, internal audit should operate in an atmosphere that allows it to function independently. It should have the resources to do its job well. It must have separate administrative and functional reporting lines to the CEO and board or audit committee respectively. It should have a clear and positive relationship with management that allows it to communicate openly and confidently without fear of repercussions, and it should enjoy a similar relationship with its audit committee and/or board.
An organization in which management treats its internal audit function in such a way reflects much about its culture. It suggests management has the confidence to have its actions and decisions routinely undergo scrutiny from an informed and independent outside perspective. It reflects that management understands its role and that of the board and audit committee, and one that is eager to identify risks and control weaknesses and improve on those areas. It reveals a commitment to transparency from confident leadership that does not fear that its actions fall outside the lines of established risks appetites, business strategies, or ethics.
Most importantly it sets a tone at the top that signals unequivocally that doing things right are hallmarks of its culture.
Conversely, a poor relationship between management and internal audit is defined by efforts to undermine internal audit’s ability to do its job. This signals leadership that shuns scrutiny and will take steps to obstruct or avoid feedback from an independent internal audit function.
Telltale signs include:
Each of these reflect a tone at the top of avoiding accountability and transparency. This does not mean an organization is operating unethically or illegally, but it does suggest a fundamental disregard or misunderstanding of good governance and the dangers that accompany a disregard for it. It at least hints at an organization that has work to do on its culture.
If your organization exhibits any of these red flags, internal audit should take steps to address them with management and the board. The sooner they are corrected, the less the likelihood they will create problems with culture.
It is important to remember that the relationship between management and internal audit is a two-way street. Just because there may be disagreement or tension between the two does not necessarily mean there is only a problem with the organization’s culture. Such problems may reflect that internal audit itself has a culture that fosters mistrust and friction.
Under either circumstance, it is imperative for internal audit to constantly work to improve its relationships with management, the audit committee, and board. The long-term success of the organization depends on it.
As always, I welcome your comments.