Auditing risks in culture

By Ken Tysiac

Cultural flaws can seriously damage an organization. Here’s how internal auditors can reduce risks by embedding culture audits into existing audit programs.

Communicate your intentions. When internal auditors identify the risks that culture can pose, it may be up to them to take the first step to move the board and senior management toward supporting this kind of auditing, said Jason Pett, CPA, the U.S. internal audit services leader and financial services risk leader for PwC.

Start with a mandate. Ideally, the board or audit committee will see the value of including assessments of culture in the audit process. A mandate from the board or audit committee will provide internal audit the backing it needs to perform this work.

Evaluate culture in each audit. An evaluation of culture should take place in each audit performed and consist of a series of questions about culture. For example, in the basic audit of a performance bonus or commission structure in a sales channel, internal auditors would ask who establishes the criteria for bonuses; whether compensation is tied to doing the right thing for the company; whether bonuses incentivize the appropriate behaviors; and whether messages about expectations are properly communicated.

Use professional judgment. There is not one "standard" for corporate culture, so internal auditors will need to use professional judgment to evaluate culture based on their experiences and an accumulation of multiple data points, Pett said. "Internal auditors aggregate some substantive findings and some softer findings," he said. "But they're still facts that you've accumulated throughout the year across multiple audits. You then need to aggregate these facts ... and come to some sort of conclusion."

Report. The method of reporting on culture may vary, Pett said. Concerns (or lack of concerns) may be reported informally to the audit committee. Evaluations and conclusions on culture may be included in each individual audit report. Or findings on culture may be aggregated and presented in an annual report on organizational culture. Internal audit cannot allow itself to be influenced by negative reactions to findings, said Peter Parillo, CPA/CFF, CGMA, vice president for internal audit for energy services holding company South Jersey Industries. "The foundation of internal audit depends on you and any head of internal audit standing strong and confident in what they're doing and what their team is doing," he said.

Develop talent. A capable staff is the key to accomplishing this type of audit activity, Parillo said. "It takes very senior-level resources to understand the business, to do this right, and have the respect of senior management to drive those messages home," he said.

Editor's note: This checklist is excerpted from the article "Internal Auditors Turn Focus to Organizational Culture," Nov. 3, 2015.

—By Ken Tysiac (, a JofA editorial director.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.