Posts Tagged “audit information”
It seems like all anyone is talking about nowadays is AI, and Audit International want to know “Can AI enable compliant electronic communications at scale?”
Internal auditors and risk & compliance teams play a critical role in ensuring that organisations are compliant with relevant regulations and policies. However, with the proliferation of electronic communication platforms, the greater embeddedness of electronic communications in our day-to-day work, and the increasing complexity of regulatory requirements, the job of internal auditors and risk & compliance teams has become more challenging.
Over the past decade, we have seen the use of electronic communication in business evolve to the point where we cannot imagine working without it. At the same time, the recent years have seen electronic communication, such as emails and instant messages, increasingly be at the core of regulatory investigations and compliance breaches, with examples all across the media. While electronic communication has transformed the way we work, it also exposes companies to a series of risks that can result in regulatory fines and litigation, causing significant reputational damage and financial loss.
A key challenge is that employees are generally relied upon to observe regulations and corporate policies in their day-to-day communications. Yet they typically receive little support beyond an initial training on compliant communication and are held responsible when things go wrong. The average office worker sends 10,000 emails per year, and it only takes one mistake to get them and their company into trouble. Moreover, traditional compliance training is reactive and simply does not prevent all the breaches that can occur. This is where technology can be leveraged to assist employees in their day-to-day work and, in the long run, create a stronger work culture.
Fortunately, advances in artificial intelligence (AI) are now making it possible to achieve proactive compliance at scale through real-time risk prevention, which can make the job of both employees and risk & compliance teams easier and more effective. One of the key advantages of using AI is that it can help to reduce the burden of manual compliance monitoring tasks, enabling internal auditors and risk & compliance teams to focus on higher value-added activities. By leveraging AI technologies like natural language processing and machine learning, it is now possible to monitor electronic communications at scale, analysing them for potential compliance issues in real time and assisting users to mitigate potential risks before they occur. This can help to streamline compliance management processes, enabling risk & compliance teams to more efficiently manage compliance and minimise the risk of costly violations.
Another advantage of using AI is that it can help to improve the accuracy and effectiveness of compliance monitoring. Traditional compliance monitoring methods often involve manually reviewing vast quantities of data, which can be time-consuming and error-prone. By contrast, AI can analyse data in real time, automatically flagging potential compliance issues and providing actionable insights to internal auditors. This can help organisations to stay ahead of evolving regulations and minimise the risk of compliance violations.
AI can also help improve the quality of compliance monitoring by enabling internal auditors and compliance teams to more effectively identify and address compliance issues. By analysing electronic communications for potential compliance risks, AI algorithms can help pinpoint areas of concern in real time, enabling internal auditors to focus their efforts on the most critical compliance issues. This can help to prioritise compliance monitoring efforts and ensure that internal auditors and compliance teams are able to take a more targeted and effective approach to compliance management.
The use of AI can therefore help organisations achieve proactive and continuous compliance at scale. It can help shift the focus from reactive responses to compliance breaches towards proactive compliance through real-time risk prevention. As AI technologies continue to evolve, we can expect to see more innovative solutions emerging in this space, enhancing the capacity and supporting the critical work of internal auditors and risk & compliance teams.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
A few weeks ago, Audit International met with a self-described “introverted” business leader. This business leader confided to us that introverted individuals have a harder time climbing the corporate ladder. The individual went further in claiming that recent research shows that it is worst for women, as introverted women are seen as less assertive and lacking in leadership traits.
Conversely, the business leader pointed out that recent research also shows that introverted individuals actually make better leaders, but because they are not as assertive as their extroverted counterparts, they are not equally represented in leadership positions. That took a minute for us to reflect on. It was one of the most thought-provoking discussions we’ve had in recent weeks.
Curious by the proposition and wanting to see what statistics we could get on the topic ourselves, we set out to create several online polls. Initially, we just asked a simple question:
Do you consider yourself an introvert or an extrovert? Here are three things we learned from asking that and some follow-up questions:
People Do Not Like Binary Options on Personality Traits
In two separate polls across different platforms, we received similar feedback:
“No room for those who don’t fall into these binary groups?” was one of the first responses.
“Some people vary based on their environment,” and “I believe there should be space in between the two,” were two responses that quickly followed.
“Do you have a definition of introverts and extroverts?” was the last question.
Even when we tried to foolishly define the terms we were met with a big, “it depends.”
Lastly, we received the one-word response that took my approach in a different direction: “ambivert.”
The Power of the Ambivert
A full 70 to 80 percent of internal audit professionals considered themselves introverts when only given two choices on the introvert vs. extrovert spectrum. However, in follow-up polls, when the ambivert option was introduced, the results were different. Vastly different. Nearly half of the introverts from the initial polls now classified themselves as ambiverts. Ambiverts were now, in two separate polls, the largest group.
So, what does that mean?
Maybe we’re being foolish again, but here is our theory: Introverted ambiverts are those who usually keep to themselves and don’t brag about their accomplishments, but when the stars align and the spotlight is on them, they shine.
When Audit International first started in the internal audit profession, we worked with two introverted gentlemen. They generally kept to themselves in the day-to-day audit process. But, when they led projects, they had absolute killer instincts.
In that group, they audited the Latin America region, so depending on the country visited they would switch from English to Spanish or Portuguese and back to English with pure finesse. Audit clients would be at ease with their approach and communication style. Anyone who had only known them for that period would swear they were extroverted individuals. But they were not. They were ambiverts.
And that is the power of the ambivert: Killer instincts when it matters.
Extroverts Are Disproportionately Represented in Leadership Positions
Back to the business leader’s proposition that introverted individuals get the short end of the stick when it comes to leadership positions. Was that the case? Based on my poll results, yes.
Extroverts represented approximately one-fourth of the sample population of internal audit professionals. However, they represent one-third of those professionals in leadership positions. Introverts, excluding those with ambivert traits, represented over a third of the sample population of internal audit professionals, but only 10 percent of those in leadership positions. These statistics can be even more accentuated when it comes to female leaders.
A burning question then came to mind. Do extroverts make better leaders? Would that be the reason they are overrepresented in those positions?
Audit International set out to attempt to answer that by asking the community about their experience with their previous leaders. Were their best leaders introverts or extroverts? For this last poll, we purposefully left the ambivert option out.
The results? Extroverts were slightly at an advantage, 53 percent versus 47 percent. In other words, the “best” leader being an introvert or extrovert had close to the same likelihood as the flip of a coin.
How come we don’t have more introverted leaders if they are just as good as extrovert ones?
We don’t have any statistics there but, in my opinion, it’s likely because extroverts are seen as better communicators, and being a good communicator is a sought-out trait in effective leaders.
Should Introverts Lose all Hope?
No. Introverts in some circumstances may have an advantage over extroverts. Another reason is that in [internal audit], passion for the role is important to the impact that you can have on the organization. An introvert has to put a bit more effort into the work than an extrovert does, and I’ve seen several times where this translated to the level of commitment and effectiveness to the role.”
It might even be concluded that an introvert displays more active listening skills and empathy, which is also essential in leadership roles.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
When SOX was first enacted in 2002, its goal was to increase the overall transparency of financial reporting while, at the same time, develop a more reliable system of checks and balances. It was understood that compliance was both a legal obligation and good business practice.
Affecting both public and private U.S. companies, as well as those non-U.S. companies with a U.S. presence, SOX is focused on corporate governance and financial disclosure. It requires that all financial reports include Internal Controls Reporting and demonstrate that a company’s financial data is complete and accurate, with an adequate number of controls established to safeguard it. It also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities.
The continued evolution of ESG on the other hand, includes a variety of factors that are often used to evaluate a company’s commitment to sustainable operations. The environmental factors in ESG offer insight into an organization’s environmental impact, including its carbon footprint, climate change initiatives, waste management policies, natural resource conservation, pollution, or efforts to decrease deforestation.
The social component of ESG examines an organization’s treatment of stakeholders (workforce, customers, providers and suppliers, government, regulators, or the local or global community) on issues such as diversity, equity, and inclusion practices, wages and salaries, and sales practices.
Lastly, the ‘G’ in ESG focuses on the governance factors and how to assess whether a company’s internal processes are able to ensure the organization, and its employees, act with professionalism and integrity.
While SOX is primarily focused on financial information — working with finance professionals and accountants — ESG is more concerned with non-financial data and metrics. It shouldn’t come as any surprise when organizations faced with these evolving and new ESG reporting requirements ask themselves.
The role of internal audit, Starting small and look at the bigger picture:
In the years that followed the introduction of SOX, the effect that it had on the internal audit profession was clearly a double-edged sword. On the one hand, internal auditors were quickly recognized as the experts needed to step into this space and provide the guidance that so many organizations needed. This resulted in growth across both the internal audit profession, as well as the various functions internal auditors were able to provide assurances for. It’s fair to say that internal audit membership more than doubled during the first few years of SOX implementation.
However, due to the urgency and level of uncertainty that SOX presented, leaning heavily on internal auditors also resulted in their spending greater amounts of time focused exclusively on SOX priorities, and significantly less time focused on those risk-based audits that organizations depend on. From an internal audit perspective it was a massive undertaking, and one that led to organizations developing SOX-specific internal audit teams.
Over the course of the last 20 years, and as a direct result of SOX, internal audit’s role around internal controls for financial reporting has become well established. Many of those same auditing skills and practices can (and should) be applied to ESG. However, an all-too-common question that’s on everyone’s mind is — “Who is responsible for ESG?”
ESG should be viewed as a top-down initiative, particularly from an organizational perspective regarding mandates, targets, and how goals are being established, monitored, and reported on. Each area or department of an organization should be aware of and responsible for their ESG initiatives. However, internal audit has an opportunity to become trusted advisors and take on more of an influential role when it comes to those first step.
How can internal audit provide the greatest value?
Organizations should reflect on the experiences they had in the early days of SOX and focus on identifying and understanding what the key controls of ESG will be. Where SOX was focused exclusively on financial reporting, ESG falls into that category of “everything else”. It comes down to the accuracy and reliability of the information. But how does an organization go about achieving that? The same way financial reporting was achieved with SOX.
Organizations have become comfortable with their financial reporting. They have been measured according to their financial results for a very long time. ESG in audit is different. It’s broader. It covers more ground and organizations will need to take some time to comprehend how to effectively turn the foundations of ESG into meaningful reports. Although it may be more complicated, the underlying processes that have been used for Sarbanes-Oxley for the last 20 years can be leaned on as a starting point when addressing ESG and identifying a methodology for assurance.
ESG presents a tremendous opportunity for internal audit to make an impact within their organizations. Because it is still evolving, and new guidelines and mandates are being released every day, a good strategy for internal audit would be to start small and identify those ESG factors that can be quickly included into your existing audit plan. Whether that’s reducing overall energy consumption throughout your office or working more closely with Human Resources to ensure new-hire practices are following appropriate guidelines, acknowledging the industry your organization resides in, understanding its risk landscape, and identifying a best-practices framework will give you the direction you need to successfully navigate ESG.
If there is one takeaway from the lessons learned when SOX was first implemented, it’s that those in the internal audit profession should avoid taking the “wait and see” approach with ESG. ESG is here and is gaining exposure and traction every day. The social ramifications of ESG alone should be enough for organizations to sit up and take notice. Understanding how to audit ESG — knowing your organization’s metrics and targeted reporting requirements, what to audit against and include in the final audit report — will better position you for success as a trusted advisor within your organization. Fill those essential Subject Matter Expert gaps early on with Audit International, identify and engage with key stakeholders, and avoid the reactionary trappings and costly mistakes of waiting too long and scrambling for solutions.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc. across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com
A new focus for Audit International and our clients is ESG. But there is one thing all of us are perhaps not considering as much : ESG’s impact on the workplace.
Environmental, Social, and Governance (ESG) factors are changing how companies conduct business in many ways, including:
– New ESG or climate-related disclosure regulations to comply with, especially in Europe.
– The need to effectively identify and manage ESG risks (including compliance, financial, and reputational risks), and integrate them within the existing enterprise risk management framework.
– Bringing a host of environmental and social metrics at par with financial information, especially with regards to data quality. There is a growing need for investor-grade ESG data.
– Ensuring that ESG factors give you a competitive edge in attracting investors, customers, and talent.
But there’s another change brought by ESG that’s not getting enough attention: The effects on workplace interactions.
– Firms that ‘get ESG right’ understand that ESG isn’t the responsibility of only one person. You can’t simply appoint a Vice-President or Director of ESG, or just place ESG under the Chief Financial Officer or Chief Sustainability Officer.
– Also, different departments can no longer work in their own little world with occasional collaborative efforts across functions. The important changes brought by ESG will also bring fundamental changes to the workplace.
The ESG team :
ESG is a team sport. People from different departments will have to work together as part of a single team.
You may be in Finance, Legal, Risk, HR, EHS, Sustainability, Operations, IT, or Procurement, but now, in addition to your regular teams and colleagues, you will also be part of the ESG team.
And your company’s ESG team will play a critical role because strong ESG performance drives corporate performance.
This represents a significant shift because suddenly key employees will have to align with a new set of stakeholders. They will have to work together with colleagues they might not have worked with before, or even knew. Here’s a sample of the types of interactions to expect:
EHS will have to provide key metrics to Finance for combined financial and ESG (or non-financial) reports.
EHS will also have to show to Finance and auditors (internal or external) how they provide limited or reasonable assurance on the data.
Procurement will seek guidance from EHS and the Sustainability team on how to capture greenhouse gas emissions data to calculate Scope 3 emissions.
HR will be asked to provide more tangible metrics on DEIB to Finance for inclusion in the combined financial/ESG report.
Did you bring together key stakeholders across departments as part of your ESG strategy?
Have you recruited members of your ESG team yet? If this is a topic you are actively hiring for, then please get in touch with us here at Audit International to assist you with any hiring needs you may have.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Our journey discussing the benefits of auditing organizational culture is coming to an end. Audit International began this series by introducing initial cultural auditing concepts in the first article. Then, in the second article, we continued by more closely examining the first half of the top ten tips that were outlined. In this, the final article of the series, we wrap up with the second half of that list and conclude our analysis.
Auditing culture-
Auditing culture requires involving a wide range of stakeholders and will require you to consider alignment of the desired culture to the actual activities of many people. As we have seen, the leadership in the organizations and the people within the business are clearly very important. To get a true sense of culture you will also need to consider organizational partners and outside service suppliers.
If culture is the way things are done more informally, then this impacts everything in your entire organization’s wider sphere. In this context, procurement may be an important stakeholder to engage with in any cultural audit to better understand their selection methodologies, allowing you to form a view, for example, on how they consider cultural fit in the selection of any third-party suppliers. It also goes beyond the selection of suppliers to how we treat them once they are in place. Does the organization treat them fairly, or is the focus on cost at the expense of other, more important matters?
Ensure that you consider both design and operating effectiveness –
Auditing work should be examining both design and operating effectiveness. Cultural reviews are no different but have the tendency to focus on design at the cost of operating effectiveness. As with all audit work, you would typically begin with a risk and control assessment which can be developed in line with the cultural levers you have identified. Typically, an auditor would then request documents, allowing some desktop analysis ahead of the interviews. Interviews with management can focus on whether they understand the desired culture and can clearly articulate this, while also identifying which levers they see as being particularly important for ensuring the culture is real and lived on the front line. Interviews should also probe the extent to which management role model the desired culture every day and ensure their teams’ activities are in line with the culture.
However, understanding operating effectiveness requires a wider approach and talking to a wider range of employees. Focus groups or surveys can be effective to gather data from employees and may provide more diverse views. If focus groups are operated, they will require additional skill, with the lead needing to manage the group so that a fair range of positive and negative views are heard.
Despite the limitations of cultural measures these too should be requested for each of the levers to understand the extent to which the organization has cultural measures and whether the results are acted upon. Measures that you may wish to consider typically involve people management activity, such as employee turnover, exit interview data, grievances raised by employees, whistleblowing information, and absence data. Other areas should also be explored, such as customer complaints data. However, collecting these may present a challenge. If culture is important in the organization, then it will be available and likely reviewed. If not, there is the potential your first audit finding on the need for management to have appropriate measures in place to track whether the desired culture is being delivered in practice.
In Audit International’s experience, there is no, single best way of conducting cultural audits. Rather, you need to form a view of what is right for your organization. One aspect you will need to consider is whether you conduct specific cultural reviews in your audit plan, have it as a component in all audits that you conduct, or draw out cultural consideration into an off-plan piece of work. I’ve seen all aspects of all three of the options successfully implemented.
Don’t go for a grand plan –
It is important that you consider how you introduce cultural auditing into your program of work. It’s a sensitive topic, and management will often be wary of audit getting too involved. Your internal audit colleagues may also be nervous about whether an area like culture can, in fact, be meaningfully audited. The best advice being — don’t go for a grand plan, but rather start small, test, and learn as you go. This includes building support from the Board and executive leadership by demonstrating, as you go, the insights gained from the cultural examination you have completed and the possibilities to go further with increased resources and business buy-in to this challenging area.
This lends itself to the suggestion to start with a pilot, or a proof of concept, where you identify an area of the business to work with and look to introduce the concept of auditing culture at this point. This should be an area where you know you have a senior auditee who is an advocate of internal audit and willing to work with you to make the pilot a success. Audit International have found that success breeds more success and considerable momentum can be delivered in this manner. Early on, it is also good to share examples of your work and the value it is bringing. I call this the “test, share, and impress approach.”
Collaborate with your business colleagues –
It is also very important to work with the business. The tip here being: Collaborate with your business colleagues – independence is a mindset. Audit International have spent time with many auditors who have been reluctant to collaborate in any deep manner with the business, citing the audit charter and the need for full independence from first-and-second-line activity. We agree, our independence as internal auditors is very important. We need to be objective in all we do to avoid threatening this. However, Audit International don’t believe independence means that we cannot work closely with the business where it makes sense to do so.
One such area, for example, is the identification of the cultural levers discussed earlier – an organization-wide conversation on this is helpful in building appropriate understanding and support for the examination you wish to conduct. Also important is the identification and quick access to relevant data for your cultural work, both at an organization-wide level, but also in divisional units of your business. There is likely to be shared interest in this area, particularly with your HR function. Given this shared interest, it makes sense for all those interested in cultural understanding to come together to share ideas and data for the benefit of the business. For example, this may mean developing a shared data area that all can access. Identify across your business who is interested in this space and join with them to share, learn, and progress.
Upskill all auditors at all levels –
Finally, ensure that the program of work you want to introduce is a sustainable approach to auditing culture. Find a way to get your people behind this approach. At heart, we are a people business and any push to audit this challenging area on a sustainable and systematic basis will depend on the skills and knowledge of your teams.
This leads to the final tip to upskill all auditors at all levels. As we identified earlier, your impact is likely to be much higher if your teams integrate consideration of cultural levers and impacts throughout your audit work and not just in any standalone audit you may do. Understanding the nuances of culture is not simply reserved for HR and psychologists but is a core competency for all auditors. This should be reflected in the recruitment and development approach for your team.
This is likely to mean that if you are going to make cultural assessment a core part of your internal audit work you will need to provide training to the audit team. This will need to cover the organizational cultural levers that you have identified, the data that can help you understand these levers, and the interviewing techniques that will need to be employed to get to actual, as well as espoused, culture. Be honest with yourself and acknowledge where you don’t have the skills that are needed. You will likely need to draw on other sources of expertise, including business and external consultancy support. These can allow you to supplement both the capacity and capability of your team.
And, of course, think carefully about how you organize to deliver this challenging area of work. Our current view is that a multidisciplinary (sometimes called Hybrid) approach is most successful. This is all about how you set up your operating model to deliver your cultural audit work. Some larger functions have established dedicated, well-resourced teams to examine culture in their organization and have staffed this with a blend of expertise, including behavioral psychologists. This group of specialists work alongside and coach front-line auditors who are then encouraged to consider cultural levers in all their audit work as we discussed earlier. Clearly, this is more relevant for larger organizations, but even in smaller functions, you may choose to appoint a cultural lead (or champion) with the responsibility to support and drive the integration of cultural aspects into all your audit work.
Conclusion –
There is no silver bullet for the successful development and implementation of a cultural audit program. Hopefully, the tips that Audit International provided throughout this series of articles will be a useful catalyst for your work in this space as you consider the conditions needed for you to achieve momentum around the idea of auditing culture in your organization.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International now bring you the second part in this three part series – Having introduced the initial concepts of what is involved with auditing organizational culture in the first article of this three-part series, we now can begin the process of drilling down and more closely examining the first five of the top ten tips to conduct a culture audit.
Identify your cultural levers:
The first step to successfully conducting a cultural audit is to identify the daily management activities that occur throughout the organization – your cultural levers. These levers look to align the culture we desire with the day-to-day activities of everyone in the organization. If we understand what leaders focus on to deliver this alignment, then we have a starting point for identifying what to test to provide our opinion on the effectiveness of culture.
Cultural levers often vary from organization to organization, so you need to work with management to identify what is influencing behavior within your specific organization. However, there are areas that I would expect to see. Published value statements are significant and an indication of what should be happening. Leadership is also significant, not just at the top but cascading throughout the organization at all levels. In this context, the organization’s approach to people management is vital with the impact this has on encouraging the behaviors that are needed for success. However, culture goes much deeper and is present in the management of other resources, including areas such as customer engagement, complaints handling, supplier management, corporate responsibility, risk management structures and profile, and internal and external communication.
This may appear daunting, but a well-organized approach to assessing each lever can quickly identify areas that are not truly aligned with the espoused values; a clear indicator that desired culture is not operating as expected.
The next four tips examine these cultural levers more closely to illustrate what they mean and to help inform you about the questions you might want to consider testing in order to arrive at an opinion on the organization’s culture.
Reputation:
Employees watch what leaders and key individuals in organizations do and how they operate. They see the dissonance between what the organization is saying, both in its external and internal communication, and their lived experience of working there. Assessing whether there is alignment is a key aspect of any audit of culture. This is even more important given the increased focus over recent times on aspects of corporate and social responsibility and the push for Environmental, Social, and Governance (ESG) activity from investors. Acquisitions of ‘greenwashing’ in your communications can be hugely damaging. This means that it is important to pay attention to external reputation and its alignment with internal messaging and should be considered across all social media.
Leadership:
The third tip is all about the examination of leadership’s role in owning and managing the culture in the organization. In internal audit, we need to examine whether this is occurring both at design and operational effectiveness levels. We are there to check that the activities of leaders are aligned with the espoused values and are supporting the delivery of the business strategy. In our audit work we should be looking for a consistency of message and actual managerial behavior. Leaders play a pivotal role in managing the business such that there is consistency across activities and that they work toward delivering the required culture for success. To do this practically, we need to build audit programs that look for evidence of areas such as misalignment in leadership actions and customer-centric examples that manifest in the practical activities of front-line colleagues. Leadership should be able to clearly demonstrate actions that they have conducted that help move the organization closer to accurately living the culture and evidence-measurement activity that supports this.
In this context, during an audit, I would expect leaders to be able to articulate how they ensure the culture is embedded through their team’s day-to-day activities, including examples of how they role model the culture in their own activities and interactions. Interviews will form a significant part of assessing these. However, data analytics can also be used to examine areas such as communications from leaders over a period of time looking for references to culture.
Simply put, what you are looking to establish here is whether the fine words on a page have a living connection with reality and link through to a real impact on the delivery of the organization’s strategy.
People management:
This leads us to the next cultural lever – people management. The key here, as with all aspects of cultural audit, is alignment. Across the entire employee lifecycle the behaviors we need to exhibit for the business to be a success need to be front and center. This starts with the employment brand, which should signal to potential recruits what the organization’s values are and includes the testing of new recruits against this. Objectives need to be set not only about what is needed to be delivered in terms of financial results, for example, but also how these results will be achieved.
Performance management needs to be expertly conducted to explore the colleague’s contribution to delivering organizational success in the way we want it delivered. This should be a continual process and include ongoing dialogue, not just an annual form-filling event. Promotion decisions should clearly consider this aspect and signal to all colleagues how behaving in the right way counts for personal success.
In developing your audit program, you need to consider all aspects of the employee lifecycle: attraction, reward, management, development, and exiting colleagues. In reviewing all these aspects, you need to be cognizant as to where the controls are operated. In most organizations, while the Human Resources function is likely to have a key role in the design of many of the practices mentioned, the management of the risk and operation of the controls largely sits within the business units of the organization. That is the place you need to be testing reality, not just within the HR function.
Identify key processes and assess alignment:
Next, we move on to two heavily connected cultural levers: process and change. When reviewing your organization, a key step is to identify the processes that are critical to the management of the organization’s culture. From this, you can review whether their operation is consistent with the outlined culture. In this case, we mean the culture promoted not only to your employees but outside your organization through your brand and external image to customers and other important stakeholders.
Employees, in their scanning of the organizational environment, will spot processes that do not sit well with declared ideal behaviors and values, where potentially the organization is looking to put short-term gain before longer-term goals. If these exist, it sends a huge signal to customers and colleagues that leadership does not really mean what they say. Included in these key processes are likely to be many of the internal processes around people and supplier management, but, most significantly, processes around how you deal with customers and how you respond to their feedback and complaints.
Alongside this, consideration needs to be given to how the organization’s change programs identify how changes they are looking to enact to systems and processes promote the desired culture. Change programs are a key touch point where the organization can ensure that the culture is being reflected in operating practices. However, they can also be a point of risk. Delivering efficiencies, while at the same time undermining the desired culture, can create problems that are hugely difficult to unpack.
Next up, in the third and final installment of this article series, Audit International finish identifying and discussing the remaining top ten tips to audit culture and conclude the journey that set out to help you deliver cultural insights within your organization. We hope you’ll stick with us.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
At Audit International, we understand auditing organizational culture is a challenging area for internal audit. Culture is dynamic, and regularly changing. Successful auditing of culture requires a holistic approach across the internal audit function covering the development of internal auditor skills, adjustment to audit methodology, and buy-in from the business regarding the value insightful culture auditing can bring.
In this first article of a three-part series, Audit International examine and discuss the various factors for successfully auditing and influencing culture in your organization.
What is organizational culture, and why does it matter?
Before looking at how you audit culture, it’s necessary to first have a good understanding of what you mean by culture and why it’s important to organizational success.
The classic definition is around the phrase coined by Charles Handy, “the way things are done around here”. While helpful for us to gain insights into auditing culture, we need to unpack this further. Culture is about the interaction between values and behaviors and how these are seen in the organization’s activities and interactions with the range of stakeholders it has (e.g., employees, customers, suppliers, and society).
Top ten tips:
Given the fact that you are reading this article, hopefully you are already convinced that internal audit has a role to play within the organization when it comes to assessing culture. You may already be on this journey delivering cultural insights through your work to your Board, or you may simply be interested in learning more about how to begin this journey. Whichever stage you find yourself, the following top 10 tips will provide you with some initial and practical thoughts that provide a view on culture and the direction needed to influence both management and the Board.
1 – Identify your cultural levers
2- Reputation, Identify whether the organizations actions and messaging, internal and external, are aligned
3- Leadership, Do they own and manage the culture?
4- People Management, Is desired culture integrated into people-management activities?
5- Identify key processes and access alignment.
6- Auditing culture, is this holistic approach being considered by a wide range of stakeholders?
7- Be sure that you consider both design and operating effectiveness.
8- Don’t go for a grand plan.
9- Collaborate with your business colleagues, independence is a mindset.
10- Upskill all auditors at all levels.
In the coming second and third articles of this three-part series on auditing culture, Audit International will take a closer look and provide a more in-depth examination of each of these suggested ten tips. These follow-up articles will offer examples and provide opportunities to more successfully audit and influence the culture at your organization.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Let’s face it. Even here at Audit International, we understand Internal audit still suffers from some rather negative stereotypes. There are plenty of companies or units where internal auditors are not welcomed with open arms. Audit clients may view internal audit with suspicion, expecting a “gotcha” mentality or may feel like they are under surveillance.
Sure, it’s often undeserved and some of it comes with the territory, but we may even be perpetuating such negative views with the words we use. Words and phrases that internal auditors consider just a normal part of the profession’s vocabulary may actually be words that trigger negative reactions in our audit clients. And often, internal auditors don’t realize they are contributing to the hostility by using them.
Words matter and good internal auditors choose them carefully. But auditors are also as prone to using professional jargon as anyone. These are words that have become so commonplace that we might not think too much about what they really mean, especially to others. We all use them. Yet, how they might be interpreted may not be how we intended. So, what can we do about it?
Here are seven words that we should consider their meanings more closely and either use them more carefully or strike them from our vocabulary completely.
1. “Finding”
Most internal auditors call what we consider reportable (in writing and verbally) a “finding.” Think about that for a moment, though. It’s not as if the vast majority of our audit observations were hiding or lurking in some hard-to-discover, dark and foreboding place, and it took our best Indiana Jones skills to unearth them. Lo and behold, ah ha! We have a “finding.” The word relates a context of sleuthing and uncovering things that were hidden, perhaps intentionally.
So put yourself in the shoes of your audit clients. We come along and have all these “findings,” as if they weren’t doing their jobs and it took us to find these gems of reportable conditions. Worse yet, we are often reporting as “findings” what audit clients told us directly. How would you feel if someone walked through your house and told you at the end of their visit that they found the carpets needed vacuuming, the furniture needed to be dusted, and relayed a few other of their insufficient housekeeping “findings.” You’d likely be inclined to never invite them back.
Try using the words “observations,” “conclusions,” or “conditions,” rather than “findings.” You may find they work better in your organization. Audit clients will feel less like they are being accused of hiding information or that they didn’t see something that the auditors later uncovered.
2. “Weakness”
When we observe an issue, we also sometimes couch that issue by using another troubling word, “weakness.” We may not be able to avoid calling breakdowns in internal controls, as they relate to SOX-like work, “control weaknesses” if the controls are not working as they should (or at all). But we should avoid calling observations outside of controls “weaknesses,” if possible.
Think about it. You go into the manager’s office during an audit, and you say, “excuse me, if you have a few minutes I’d like to go over a few weaknesses that have come to our attention during our review of your area.” Expect immediate defensiveness. We might as well be criticizing their first-born by pointing out weaknesses in how the child looks or plays with others. The word connotes physical ineptitude and can strike a visceral blow to any manager’s ego.
Like weaknesses, “deficiencies” isn’t any better for all the same reasons. So, perhaps, try “opportunities,” or “matters for attention,” rather than “weaknesses.” Even “challenges” or “difficulties” will garner a better response from audit clients.
3. “Material”
While the term “material” has been part of auditing language forever and, although tough to really quantify, is an important and meaningful word. I mean, if it’s not material why look at it or consider it at all? We also have the SOX-related nomenclature of “material weaknesses” (which people want to avoid as best as possible). Look, if you tell someone something is “material” and it truly is agreed that it is “material,” that’s a big deal.
Yet when we tell someone who is the owner of something that we want to talk with them about a matter that is “material,” what would be the natural reaction of the person on the receiving end of that word? Disbelief, denial, and outright defensiveness are natural human reactions when told something is “material,” in a bad way, which affects them or their responsibilities. Think about being in the doctor’s office because you have not been feeling well. After a bit of consultation and tests, the doctor comes in the room and tells you that there is something “material” to discuss. You are likely to act with disbelief, denial, and defensiveness, naturally. The word conveys an urgency we might not intend. Do we really want our clients to react that way, now or in the future?
Note that “material” has an important legal context. The Securities and Exchange Commission defines “materiality” as anything a reasonable investor would deem relevant to their decisions about whether and how to invest. While it’s important to use this word carefully in this legal context, it’s also easy to adopt the word and use it outside this context, which can result in misusing it. Another problem with “material” is that it implies that everything else isn’t important or that other aspects of an audit client’s work are meaningless, which is not a great sentiment to convey.
So, perhaps, when you don’t really have to use the word “material” (or “significant” for that matter) in consultation or in writing, maybe consider some different language. Hey, there’s something important I want to run by you when you have a moment, and maybe we can write about the top matters for attention without calling them “material” (unless, of course, we must).
4. “Disclosed” or “Uncovered”
Like the word “finding,” the word “disclosed” (or the word “uncovered’) has a similar connotation. It’s as if the issue was hiding and no one knew about it or would ever find it without you, and your brilliance—the internal audit superhero with x-ray vision. OK, sometimes things were truly hidden, unintentionally or, worse yet, purposefully, and we did use our internal audit superpowers to uncover it and then we get to puff our chest and—cue music here—disclose it. But, come on, that’s rare.
Yet, we use the terminology all the time. For example, resulting from of our testing, it was disclosed that blah, blah, blah. Or, based on our review of the area, it was uncovered that yada, yada, yada. Now, if you’ve got sneaky and underhanded clients, who are going around hiding stuff from you that you truly uncovered and want to disclose to the world, then fine. But most clients don’t do that, and you want to collaborate with them in the future.
Imagine how you’d feel if the external team you hired to do your Quality Assurance Review (QAR) started telling everyone, verbally and in writing, what their work (and only their work) disclosed and uncovered in your internal audit department? How would you react to that? “Disclosed” implies that something was formerly a secret and now you are airing the dirty laundry out for the world to see.
So, maybe we need to back off the “disclosed” and “uncovered” language, at least a bit. Options might include, “along with management, we identified …,” “taking full stock of the evidence, it can be concluded that …,” “testing demonstrated that …,” or similar language. Just don’t use “revealed” instead. That’s just as bad.
5. “Entrance” and “Exit”
OK, you may need to bear with me a bit on this one.
We’re going to start an audit project, and our first meeting with the client is called, in many companies, an “entrance meeting.” Then, when we’ve concluded all our fieldwork, what do we call the last meeting with the client to wrap things up and ride off into the sunset to work on the audit report for weeks on end? The “exit meeting.” They are decent terms, descriptive of exactly what they are … our entrance (ugh, the auditors are here) and our exit (yes, they are leaving, let’s party).
Let me ask you this, though. Is this audit, the one you are doing an entrance into and an exit from, the first and last time you will ever see these folks? I sure hope you have an ongoing relationship and are interacting all year long, or at least on occasion. If that’s the case, there is no entrance and there is no exit because, like the song Hotel California, you may never leave. And, if you’ve done your relationship management right, they are happy about that.
The point is that “entrance” and “exit” are old-school terms from when we did things on a cyclical basis and may or may not come back. Back then, relationship-building was less important and audits had a fixed beginning and end. So, maybe we need to stop calling them “entrance meetings” and “exit meetings,” and just call them something else that isn’t so clinical and auditor sounding. Schedule your Project Introduction Meeting at the beginning and, maybe, your Project Wrap-Up Session at the end, or something like that. And, if you are well down the path of an agile implementation, all that entrance and exit stuff becomes moot anyway.
6. “Consulting”
Back in 1999, the Institute of Internal Auditors introduced the well-accepted and globally codified definition of Internal Auditing as: “An independent, objective assurance and consulting [emphasis added] activity designed to add value…” Back then, the word “consulting” was viewed positively. And, for internal audit to be positioned to not only provide assurance, but to also be viewed as a consultant? Well, to borrow a ’90s term, that would be “da bomb!”
But, somewhere along the way, the word “consulting” came to be viewed less positively, and we’ve started to insert the word advising to soften the term. Should we blame consultants for tarnishing a good word, and making people view consultants and, in turn, consulting, negatively? Perhaps, but that’s not the point.
We all want to be advisors, and the gold standard, the place to be, the coolest accolade, would be to be trusted and be an advisor. So, in our pursuit of being that vaulted trusted advisor, let’s drop the word consulting from our vocabulary, once and for all. Look, your clients might want to “consult” with you, but hopefully you are “advising” them.
7. “Satisfactory”
Often, we as auditors don’t want to overcommit, and use words that might get us into trouble later if something is determined to be different than our work concluded. There is just so much we can evaluate and then we must draw a conclusion and move on. So, we settle on words like “satisfactory,” even if things are notably better than the word implies. From an internal audit perspective, we are hedging out bets. We don’t want to be overly flowery with praise, and just conclude something is either “satisfactory,” “needs improvement,” or “unsatisfactory.”
Put yourself on the other side of the table. Let’s say, for instance, you’ve worked hard at something, gone the extra mile, and made sure it was done exceptionally well. Then, someone comes in, looks it over, and decides that things seem “satisfactory.” Ouch, gut punch! You put in a ton of effort, expected to get an “A” grade, and the professor gives you a “C.” That’s kind of deflating.
Let’s not forget that the word “satisfactory” means acceptable or good enough, but not outstanding or great. Yes, there are reasons to fall on the crutch of concluding, placing our highest auditor grade on something, that it is “satisfactory.” But, perhaps, if we can avoid it, we take the risk, rely on our work, and conclude that something better than a measly “satisfactory.” Don’t be afraid to say if something is exceptional, great, works well, or exceeds the requirement.
The Last Word
There is a lengthy list of good reasons, justifications, and rationalizations for why we use the words we do as internal auditors. Many of them have stood the test of time. Many are in use, and still exist, because we are hearing the world through our own ears, and not our clients’.
If we stop for a minute, and consider what these words sound like and what they actually mean, and the impressions they may leave on the ears of our clients who hear them, perhaps they are not the best words to use. Perceptions are reality, and if you want to change perceptions, maybe one way to do that is to change our vocabulary. In other words, say what you mean and mean what you say.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
In 2023, organizations may face new and expanded cybersecurity and compliance mandates, which could vary from location to location and from one industry to the next. As a result, your organization may be looking to obtain a certification or will need to pass an audit for a specific set of standards or requirements.
While recognition for demonstration compliance or receiving certification is a great reason to celebrate, the process leading up to that is often time-consuming and sometimes dreaded, especially if you must undergo an audit first.
But audits don’t have to be as frustrating as they once were. With the right resources and tools, you can pass your next audit with ease. Here are five tips from Audit International to help:
Know your current program state.
Don’t wait until the audit is underway to find out where you might have gaps or weaknesses. Go ahead and assess your current compliance state so you know what you need to address before your real assessment gets underway. Consider using a cybersecurity compliance platform that automates these assessments for you and look for a platform that gives you real-time compliance scoring, so you’re never caught off-guard if something isn’t functioning as you intended or you’ve overlooked an important control or other security measures.
Document and evidence.
You can do everything correctly and score 100 on your current assessment, but if you don’t have a document repository that puts everything you need right at your fingertips in one place, or if you can’t supply all the necessary proof and evidence an auditor may want, you likely won’t get credit for what you’re doing right. Put away those binders of dusty old printouts you haven’t looked at since your last audit. Instead, use a cybersecurity management platform to track and retain all of your evidence and documentation all in one place for easy, shareable access with your auditors.
Put teamwork to work for you.
Instead of chasing down who’s responsible for which compliance requirement and trying to understand what they’re doing and how well they’re doing it, use a compliance management platform to help you automate task assignments, track progress, send alerts when those tasks are complete, and assign new tasks as they pop up. A platform like Apptega can even externally alert your auditor when your team has completed an evidence request or other necessary task.
Communicate across your organization.
One of the challenges in building a compliance culture is often that program managers speak industry lingo and not the same language that people in different roles within the organization can understand and relate to their day-to-day responsibilities. Instead of scrolling through hundreds, maybe even thousands of rows of data to find what you need for your next compliance conversation, consider using a compliance management platform that has a pre-built library of reports you can quickly draw on for your next engagement, whether that’s your C-suite, an auditor, or your tech team.
Don’t go at it alone.
While you can meet all the requirements on an audit prep checklist, the reality is when you work on a program, it’s easy to overlook issues an outside eye might catch. Before your next audit, go beyond a self-assessment and consider working with an outside compliance consultant to take a closer look at your existing program and help you seek out and address issues before your auditor finds them.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
Audit International are stating the main Risks and Actions companies are putting on their 2023 internal audit plans. The past year concentrated attention and shone a spotlight on the increasing fragility of organizations. With a complex set of risks manifesting simultaneously, audit committees are prioritizing some of the most serious implications resulting from the ongoing war in Europe and a triple squeeze of supply chain, workforce and inflation pressures.
According to data from Gartner’s 2023 Audit Plan Hot Spots report, which identifies the key risks and recommended actions for Audit to benchmark their efforts against in the coming year, 81 percent of Chief Audit Executives polled have cyberthreats on their agenda to cover in audit activities over the next 12-18 months, with an additional 13 percent tentatively planning to do so. Even in a year with a high number of varied and seemingly imminent risks facing organizations, cyberthreats remained an agenda topping item for Audit Committees and senior executives as the drivers of the risk shifted from a generalized focus on inadequate security controls to specific need to prepare for highly sophisticated state-sponsored cyberthreats and new cyber breach disclosure requirements. Even as some risks remain perennial threats, shifting drivers can change the nature of the risk and need for updated mitigation and coverage plans.
Cyberthreats, however, are not the only vulnerability an organization faces in an increasingly fragile world. In developing this year’s report, the need for Audit to support their organizations through rethinking their approach to resilience in the face of growing fragility became evident as a key theme underlying several top organizational risks. These risks are generally under-covered in audit plans for 2023, in some cases less tangible and immediate than the category of risks that have been urgently prioritized as a result of the headline events of this year.
Resilience-related risks are manifesting with real world and high-velocity consequences all the same, and Audit needs to understand the risk indicators, urgency drivers and the right questions to ask the business to ensure that rethinking resiliency is on the agenda in 2023.
Below I review three such risks and strategies for Audit on how to approach them.
Climate Degradation
Nearly six in ten CAEs have no specific plans to provide assurance over climate degradation next year. This in and of itself is a key risk indicator for most organizations, as a failure to refresh business continuity plans related to climate risks puts an organization at higher risk for a key infrastructure failure and related loss of productivity among other risks.
While CAEs generally express limited confidence in their climate coverage plans, rethinking resilience means going beyond sustainability reports and identifying vulnerable assets. Audit departments need to incorporate in their plans the inevitability of increasingly severe weather events and mitigation strategies for the loss of key infrastructure, both their own and that of key third parties, such as suppliers.
Culture
Even more challenging for Audit is culture, traditionally a key source of resilience for many organizations that now is fraying under the weight of new working models (hybrid/remote), social and political polarization and a general lack of connection felt by employees who are reporting witnessed misconduct at rates 30 percent lower than pre-pandemic.
Despite such challenges, only 16 percent of CAEs are revisiting culture in light of shifting sociopolitical expectations of their workforce, investors and the media for next year, and just 10 percent report they are highly confident in providing assurance in this area. Internal Audit needs to push the business on reassessing how employee expectations and engagement are monitored in a hybrid and remote world, while policies related to political and social issues need to be formulated now and not in real time during a crisis.
Organizational Resilience
Ultimately, rethinking resilience means covering organizational resilience as a dedicated risk that is part of the audit coverage plan. Organizational resilience, broadly defined, is an organization’s ability to withstand shocks. This is likely to become ever more important in the face of new and ongoing geopolitical tensions, which can abruptly trigger a set of interconnected but differentiated risks to manifest simultaneously. While refreshing scenario planning and mitigating against change fatigue are necessary steps in this process, building true organizational resilience requires a view into the interconnected risks facing an organization and developing resilience-related initiatives across the enterprise.
With less than half of CAEs definitely planning to cover organizational resilience next year and just 32 percent highly confident in providing assurance specifically on matters of resilience, it’s clear there is more work to do in establishing this as a top audit priority. Chief Audit Executives can regain momentum by launching activities that encourage collaborative discussions between business units on interrelated risks and reviewing plans to address change fatigue within their organizations at a time when events over the past two years have likely dramatically diminished capacity in this area.
While these resilience-related risks feel less tangible and urgent than mitigating against “clear and imminent” dangers like supply chain vulnerabilities and state-sponsored cyberthreats, they are important and increasingly acute risks in their own right. Viewing them through the lens of rethinking what it means to be a truly resilient organization can be a useful framework for starting the right conversations within the Audit Committee and formulating effective coverage in next year’s audit plans.
Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”
