Internal auditors turn focus to organizational culture

By Ken Tysiac

Perhaps internal audit is evolving to focus on organizational culture because daily news reports are filled with stories of culture gone awry.

“There have been very big headlines that we all know about, where you could look at organizational culture and say, ‘That was part of the problem,’ ” said Jason Pett, CPA, the U.S. internal audit services leader and financial services risk assurances leader for PwC.

Perhaps the evolution of technology and continuous monitoring has helped internal auditors get a better grasp on controls testing, creating more opportunities for them to assess culture.

“This topic comes up more frequently now, because we’ve tested every control seven ways till Sunday,” said Peter Parillo, CPA/CFF, CGMA, vice president for internal audit for energy services holding company South Jersey Industries. “It’s amazing to see how much testing has evolved, but at the end of the day it does come back down to the organization’s culture.”

Whatever the reason, the assessment of culture is coming into focus as a key responsibility for internal audit at many organizations. Culture was identified as a high risk to an organization by more than half (56%) of respondents to a poll by the Institute of Internal Auditors Financial Services Audit Center. The survey of more than 400 respondents represents the views of internal auditors primarily from North American financial services organizations.

Despite the recognition of culture as a risk, half the respondents said it is not audited at their organizations. A little more than one-third (37%) of respondents said culture assessment is embedded in their existing internal audit programs, and 7% reported having specific audit programs focused on organizational culture.

Pett and Parillo are proponents of embedding culture assessments into existing internal audit programs. Parillo said conducting specific audits focused just on organizational culture can put personnel on edge and lead to less-than-accurate responses.

Pett said it can be a challenge to initiate a specific audit program focused on organizational culture because it requires defining a framework against which culture is going to be evaluated.

“You need to be able to define what good culture is within the specific company environment,” Pett said. “Is that just what the CEO says it is? Is it what the board says it is? Is it what you think it should be? It is a challenge for internal audit functions to audit against something that is a little bit more difficult to pin down.”

Pett said it’s more common for internal audit functions to embed an assessment of culture into the risk assessment and audit process of every audit they perform. Using this strategy, internal auditors should start with a mandate from the board or audit committee to include assessments of culture in the process.

Sometimes that requires internal auditors to take the first step to move the board and senior management toward supporting this kind of auditing. Pett said it’s essential for internal audit leaders to communicate their intentions to perform this kind of audit and ideally gain both board and management support.

This gives internal audit the ability to ask questions and evaluate culture in each audit. Take, for example, a basic audit of a performance bonus or commission structure in a sales channel. In addition to auditing the metrics and the process, internal audit would evaluate cultural questions such as:

  • Who establishes the criteria for bonuses?
  • Is any part of the compensation structure tied to doing the right thing for the company?
  • Do the bonuses incentivize the appropriate behaviors?
  • Are messages about expectations properly communicated?

Ultimately, because there is not one “standard” around corporate culture, an internal auditor will need to use professional judgment to make this evaluation of culture based on his or her experiences and an accumulation of multiple data points, Pett said.

“Internal auditors aggregate some substantive findings and some softer findings,” Pett said. “But they’re still facts that you’ve accumulated throughout the year across multiple audits. You then need to aggregate these facts, make sense of them all, and come to some sort of a conclusion.”

How internal audit reports on its conclusion may vary, Pett said. Concerns (or lack of concerns) may be reported in an informal way to the audit committee. More formally, evaluations and conclusions on culture may be included as findings in each individual audit report. And most formally, the findings on culture may be aggregated and presented in an annual report on organizational culture.

Reporting on culture does come with challenges, though. Pett said that leaders of an organization with a toxic culture may not support internal audit in reporting on culture. Parillo said there also is a danger of retaliation against internal audit. Nonetheless, he said, internal audit cannot allow itself to be influenced by negative reactions to findings.

“You have to make the statement,” Parillo said. “You can’t back down or be intimidated, because the foundation of internal audit depends on you and any head of internal audit standing strong and confident in what they’re doing and what their team is doing.”

Indicators of a successful organizational culture listed by Parillo or Pett include:

  • The existence of strong governance, with clear policy and procedures.
  • The communication of policy and procedures, upward, downward, and across the organization.
  • Clear and consistent communication from senior management regarding their expectations around control and “doing the right thing.”
  • Application of policy and procedures to all levels of management without exception.
  • Alignment of the system of rewards to the right behaviors.

Culture also often can be discerned from how individuals or managers respond to internal audit findings, Parillo said. It’s an indication of an honest, trustworthy culture when individuals accept findings and recommendations without confrontation and are prepared to develop a remediation plan with a realistic time frame.

When process owners are confrontational about audit findings, it may indicate a resistance to change. When individuals are flippant about findings, it can indicate that they may not be willing to adhere to controls.

Audit committee members should want to know about those responses, Parillo said.

“When I am in executive session with the audit committee, they ask me straight out, ‘Are there any issues that we need to be made aware of? Are process owners giving you what you want? Are they cooperating with you?’ ” Parillo said.

But he also has seen colleagues and acquaintances at other organizations fail to receive support when they have attempted to call attention to cultural deficiencies. He said those internal auditors have left their employers after realizing their organizational cultures were not conducive to a positive internal audit environment.

Pett said the headlines show that there is extreme danger for organizations that resist internal audit assessments of culture, and that a capable staff is key to accomplishing this type of audit activity.

“You need to have the right talent to do it,” Pett said. “It takes very senior-level resources to understand the business, to do this right, and have the respect of senior management to drive those messages home. It is a very big challenge, but I think that internal audit functions can start to pick away at this.”

Ken Tysiac ( is a JofA editorial director.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.