Auditing risks in culture.

Author:Tysiac, Ken

Cultural flaws can seriously damage an organization. Here's how internal auditors can reduce risks by embedding culture audits into existing audit programs.

Communicate your intentions.

When internal auditors identify the risks that culture can pose, it may be up to them to take the first step to move the board and senior management toward supporting this kind of auditing, said Jason Pett, CPA, the U.S. internal audit services leader and financial services risk leader for PwC.

Start with a mandate. Ideally, the board or audit committee will see the value of including assessments of culture in the audit process. A mandate from the board or audit committee will provide internal audit the backing it needs to perform this work.

Evaluate culture in each audit. An evaluation of culture should take place in each audit performed and consist of a series of questions about culture. For example, in the basic audit of a performance bonus or commission structure in a sales channel, internal auditors would ask who establishes the criteria for bonuses; whether compensation is tied to doing the right thing for the company; whether bonuses incentivize the appropriate behaviors; and whether messages about expectations are properly communicated.

Use professional judgment. There is not one "standard" for corporate culture, so internal auditors will need to use professional judgment to evaluate culture based on their experiences and an accumulation of multiple data points, Pett said. "Internal auditors aggregate some substantive findings and some softer findings," he said. "But they're still facts that you've accumulated throughout the year across multiple audits. You then need to aggregate these facts ... and come to some sort of conclusion."

Report. The method of reporting on culture may vary, Pett said. Concerns (or...

To continue reading