key responsibilities of Internal Auditor

job responsibilities of internal auditor and responsibilities of internal auditor and external auditor
Dr.KiaraSimpson Profile Pic
Dr.KiaraSimpson,United States,Researcher
Published Date:05-07-2017
Your Website URL(Optional)
Comment
Culture and the role of internal audit looking below the surfaceexecutive summary t he problem is; complex organisations, like the nhs , mean there is no ‘one nhs ’. t here is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat 2 Roy Lilley, Health Writer and Commentator • t his report is important for the following reasons:• t his report will be of value to boards, policy makers, and regulators as well as hia s. it shows how internal 1 how organisations, and individuals within them, audit can be harnessed more effectively to support behave has become a matter of public concern. boards in the development of organisational Poor organisational culture has been identied fi cultures that improve the management of risk and as the root cause of scandals in the health, the functioning of organisations more generally. n fi ancial and food sectors among others, and many have been at great cost to individuals, • t he behaviour of employees at the front line, organisations and even countries. boards and such as sales staff, dealers or care workers, needs internal audit need to focus on the risks that to conform to the ethics and culture of their culture presents. organisation, and boards need to be assured that the whole organisation is pulling in the same 2 Effective Internal Audit in the Financial Services direction. t his is no easy task but internal audit can Sector, published by the institute in July 2013, support boards in providing this assurance. recommends that internal audit should include within its scope the risk and control culture • hia s play a valuable role in assuring that of the organisation and evaluate whether processes (such as performance management and the organisation is acting with integrity in its remuneration), actions (such as decision making) dealings with customers and in its interaction and tone at the top are in line with the values, with relevant markets. t his will require internal ethics, risk appetite and policies of the organisation. audit to take on new tasks. • our hia s are taking two main approaches to 3 a dialogue is needed between heads of auditing cultural indicators. t he r fi st approach is internal audit (hia s) and boards regarding the to incorporate culture into each audit, through importance of culture. in the institute’s latest techniques like root cause analysis, identifying why 3 annual governance and r isk r eport , ethics and issues occur and how they can be the drivers for culture was one of the top three areas where wrong behaviours, and then to join the dots across hia s are planning to increase their resources. individual audits. t his takes them beyond focussing t herefore boards and hia s need to reach a on processes and controls and requires them to common view of the importance of culture and be comfortable with combining hard data with the role internal audit can play in supporting gut feel. t hey also need to have a different type boards in this area. 2 NHSmanagers.net Roy Lilley blog Climate Change, 27 February 2014 3 Governance and Risk Report, IIA, October 2013 Page 4 c ulture and the role of internal audit – looking below the surfaceof dialogue with the audit committee chair and/ Scope and structure or ceo , using more subjective judgements and requiring enhanced communication skills. some say t his report has three sections: that this is what any good internal audit has been doing all along but only now is it being badged as a organisational culture and strategy. culture. o thers see this as a new departure. B harnessing internal audit to support boards in • t he second approach is auditing cultural indicators relation to organisational culture – the enablers and across the organisation through auditing personal the challenges. behaviours as a proxy for culture. here the key C t he summary results of our example organisations question for internal audit is how best to gather which have started to audit culture – we evidence to show that culture and values are interviewed eight organisations with a range of at the heart of every business decision and are approaches to auditing culture to draw some being incorporated, for example, at every level in insights and conclusions on current practice. (t he recruitment, training, performance management detailed examples can be found in our technical and reward arrangements. t his approach is less 4 guidance note ). common, but, over time, may be adopted more widely in addition to the r fi st approach if deemed in addition there is an appendix outlining recent helpful to the organisation and its circumstances. developments in two sectors – health and n fi ancial services – where failures have led to new approaches to t he n fi al section of this report outlines the organisational culture. approaches that organisations are taking as they start on the journey of auditing culture. we are not endorsing these in any way but showing members of the profession how they may be able to audit the indicators of culture if they are starting with a blank sheet of paper. we would reiterate, however, that these are merely suggested starting points as there is no one right way to do it. t he institute is also providing its members with technical guidance containing examples to help equip internal audit to play a bigger role in the assessment of organisational culture which can in turn help to inform boards and regulators to determine how well an organisation is managing culture. t his guidance will be made available to non-members for a charge. 4 http://www.iia.org.uk/resources/values-and-ethics/culture-and-the- role-of-internal-audit/ c ulture and the role of internal audit – looking below the surface Page 5a. o rganisational culture and strategy t here is no clear-cut agreement on the definition Culture and risk culture of organisational culture but it is commonly 5 interpreted as “the way we do things around here” . r isk culture is a term describing the values, beliefs, Professor g erry Johnson, author of the cultural knowledge and understanding about risk shared by a web, refers to organisational culture as “the taken- group of people with a common purpose, in particular for-granted assumptions and behaviours that the employees of an organisation or of teams or groups make sense of people’s organisational context and 9 within an organisation . therefore contributes to how groups of people all organisations need to take risks to achieve their respond and behave in relation to issues they objectives. t he prevailing risk culture within an face”. he goes on to say that, as a result, culture organisation will signic fi antly affect its ability to has important influences on the development 6 manage these risks. inappropriate risk cultures will and change of organisational strategy . in other lead to activities that are totally misaligned with stated words, culture binds strategy to outcomes. policies and procedures or operate completely outside Professor sir ian kennedy encapsulated the these policies. at best this will hamper the achievement interrelationship between culture and an organisation’s of strategic, tactical and operational goals. at worst it values: “w hen i talk of the culture of an organisation, will lead to serious reputational and n fi ancial damage. i refer to its values and how these values are translated 7 t he l ondon school of economics (lse ) c entre for into everyday actions” . this is a theme we hear again 10 analysis and r isk r egulation (carr ) asserts that risk and again in all sectors. however it is the gap between culture is not separate from culture in general. it is the stated values and how they are translated into rather a specic fi kind of framing of the culture problem, actions that is of critical importance as the stated values allowing general concerns about culture to focus on can often be aspirational rather than descriptions risk-taking and risk control activities. indeed there is an of the current values the organisation lives by. interrelationship between the two in that culture both determines and is inu fl enced by risk culture. t he report’s authors suggest that rather than ask what risk culture Poor standards in banking are is, it is better to ask about its components – instincts, attitudes, habits and behaviours, what inu fl ences them not the consequence of absent and how they can be managed and reported on. or dec fi ient company value t he graph below shows the prevalence of the use of statements…t hey are, at least in the term ‘risk culture’. it shows an exponential growth 11 in the use of the term by practitioners since 2008 ; part, a ree fl ction of the a fl grant around the same time as the global n fi ancial crisis disregard for the numerous sensible kicked off. t he report’s authors said that they see this exponential increase in the use of the term as being a codes that already existed. symptom of the desire to reconnect risk-taking with “a 8 Parliamentary Commission on Banking Standards new moral narrative of organisational purpose”. r isk culture searches 200 150 100 50 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Year 5 9 Corporate Cultures: the Rites and Rituals of Corporate Life, Deal and Under the Microscope – Guidance for Boards, Institute of Risk Kennedy, 1982 Management, 2012 6 10 Exploring Strategy, Johnson et al, 2014 (10th ed) Centre for Analysis of Risk and Regulation, London School of Economics, 7 Risk Culture in Financial Organisations, Mike Power, Simon Ashby, Kennedy Review of the Response of Heart of England NHS Foundation Tommaso Palermo, November 2013. Trust to Concerns about Mr Ian Paterson’s Surgical Practice, 11 December 2013 Adapted from graph on p.12, Centre for Analysis of Risk and Regulation, 8 London School of Economics, Risk Culture in Financial Organisations, Changing banking for good, Parliamentary Commission on Banking Mike Power, Simon Ashby, Tommaso Palermo, November 2013. Standards, June 2013 para 754 Page 6 c ulture and the role of internal audit – looking below the surface number of hits obtainedb. harnessing internal audit to support boards in relation to organisational culture – the enablers and the challenges t he driver for organisations to pay close attention to able successfully to carry out such an audit. examples their culture and often to try and change it is usually, of models – the cultural web, the Mckinsey 7s model, but not necessarily, driven by regulatory forces or and the burke-litwin model – internal audit can use corporate mishaps. t his then usually helps gain buy-in as a framework for incorporating cultural aspects from the top, which is a critical factor in the success into audits can be found in the institute’s technical 4 of auditing culture. but sometimes this appetite from guidance on auditing culture. the top is driven from within and does not stem t he enablers and challenges in auditing culture are directly from any external pressures. f or example it summarised below and are drawn from the examples may result from an enlightened, forward-thinking ceo in section c . and his/her senior management team who want to prevent a failure of culture and its negative impact on enablers – crucial foundations necessary organisational outcomes. for the audit of culture: we spoke to organisations in a range of sectors about • organisational culture needs to have been analysed, their approaches to auditing culture. we discovered properly den fi ed and disseminated by the board/ some common themes emerging around the enablers senior management i.e. what is required behaviour and challenges. we found that some aspects of in the organisation has been made explicit. auditing culture are already business as usual for • appetite from the top of the organisation. internal audit and they just need to look at existing • internal audit being given a clear mandate. audits through a cultural lens. t hose hia s consider • writing the mandate into the audit charter. that this is an area they have been auditing implicitly • a relationship of trust between the audit 12 all along. however, n fi dings from research we carried committee chair and the hia that allows informal out on what hia s were doing within their organisations discussion about subjective judgements (gut feel) to meet the recommendations of the f inancial services on culture. c ode revealed that auditing culture is the most difc fi ult • Position, treatment and regard for internal audit, area of the code; and that just over one-third (34%) and non-adversarial relationships with their clients. of hia s say this will pose signic fi ant challenges. • t he ability for clients to report or respond to Most of the organisations we spoke to incorporate surveys cond fi entially. cultural aspects into their standard audit assignments • a good level of risk maturity in the organisation. and were not persuaded of the value of auditing Continued culture more widely. t his may be because auditing culture as a separate issue across a whole organisation is a massive undertaking which internal audit, in many organisations, is unlikely to have the time, skills and resources to dedicate itself to. key stakeholders may also perceive it as not being internal audit’s job and therefore the hia is less likely to get traction and be 12 Chartered Institute of Internal Auditors, ”Embedding effective internal audit in the financial services sector, IIA April 2014 c ulture and the role of internal audit – looking below the surface Page 7Challenges in auditing culture: – c an young and inexperienced auditors succeed in this realm? is this an area that • organisational culture is often underpinned only experienced auditors can operate in as by how a statement of values is translated experience contributes to competence? into concrete actions, so the key question for internal audit is how to gather evidence and • r eporting. t he internal audit team needs to demonstrate that this is the case and that develop and report results in partnership with the values are being lived at every level. those accountable and use appropriate means of reporting either orally or in writing. according to • limitations of surveys and interviews. r esearchers 14 the iia global r esearch f oundation there are two at lse ’s c entre for analysis r isk and r egulation main reasons why cultural weaknesses are often 13 (carr ) asserted that while risk culture may reported orally rather than in writing: be tracked and measured in visible ways, the very instruments which exist to do this e.g. staff – Managers may agree with the weaknesses orally surveys, provide only indirect observations of but get defensive and take it personally when behaviour at best. another potential pitfall of they see them written in an audit report. t his employee surveys is that they provide an internal in turn may make it more difc fi ult to evaluate perspective which on its own is not sufc fi ient and cultural aspects in this unit in the future. may actually be skewed if not underpinned by a – it can be difc fi ult to express the weakness culture of being able to speak openly and honestly. in writing and therefore may be open to • skills and training: misinterpretation which could lead to superiors unfairly thinking less of the manager in question. – f or internal audit to move into this space it needs to upskill in more qualitative methods t his reporting problem was highlighted in a 15 such as surveys and interviews, or co-source recent report by the lse where they found in this area. surveys need to be properly that risk culture poses some unique problems constructed, administered, analysed and of documentation in trying to make soft factors interpreted to identify weaknesses. visible and measurable. t hey said that evidence and metrics lie at the heart of the complexity – t he use of gut feel plays a part in the audit of of making assessments about culture. t hey culture and this is likely to take many internal added that the paradox here is that one auditors out of their comfort zone as they are organisation may have a ‘worse’ risk culture than used to reporting on hard facts. t hey need to another but is better able to document what join the dots and combine the evidence on they are doing, thus appearing ‘stronger’. hard facts and gut feel when assessing cultural aspects to obtain a picture of the underlying • internal audit is part of the culture itself. Despite assumptions. hia s will need to combine both ostensibly being independent and objective, quantitative and qualitative methods to gather internal audit, without realising it, may have evidence as the basis of their audits. t hey will adopted the same cultural values and ethics as need to make much more use of root cause the rest of the organisation. t his raises the issue of analysis i.e. if a problem is found, they need to credibility and whether, if it is part of the culture ask, “w hy was that?” and keep drilling down itself, internal audit can effectively audit it. until they can go no further. t his takes them beyond their usual methodology of focussing on processes and controls to looking at the underlying behaviours. – senior internal auditors will require new communication and relationship skills to enable them to conduct more subjective and informal discussions with ne Ds and executives about cultural issues. 13 14 Centre for Analysis of Risk and Regulation, London School of IIA Global Research Foundation, Best Practices: Evaluating the Economics, Risk Culture in Financial Organisations, Mike Power, Corporate Culture, February 2010. 15 Simon Ashby, Tommaso Palermo, November 2013. Centre for Analysis of Risk and Regulation, London School of Economics, Risk Culture in Financial Organisations, Mike Power, Simon Ashby, Tommaso Palermo, November 2013. Page 8 c ulture and the role of internal audit – looking below the surfacec . approaches to auditing culture t his section outlines a range of approaches organisations are taking as they start on the journey of auditing culture. we are not endorsing these in any way but showing members of the profession how they may be able to audit the indicators of culture if they are starting with a blank sheet of paper. we would reiterate, however, that these are merely suggested starting points as there is no one right way to do it. beyond their usual methodology of focussing on Barclays processes and controls. internal audit will both integrate culture as to make such an assessment they will look at a wide part of every audit and conduct thematic range of information, for example, hr grievance reviews of our individual audit reports data, whistleblowing activity, complaints, cultural and assessments of business areas. surveys, and mystery shopping. t hey will also t hrough assessing the culture, internal audit will conduct interviews against a structured framework look to answer: (organisational psychologists have been brought in to advise on devising the interview questions). • how to demonstrate that outcomes are desired and as expected. t hematic reviews • is the tone at the top right? is it being lived? t his approach helps internal audit to assess • are the values being disseminated and adopted how well the barclays values are lived across the in all stages of the employee life cycle? organisation and to what extent colleagues are integrating culture as part of every audit operating in line with these values. here they will look at systems and processes as t he indicators they are looking at are broadly usual but will also examine if there is a good similar to the ones set out by the f inancial stability underpinning risk culture. r oot cause analysis board i.e. tone from the top; accountability; will form the basis of the audits i.e. they will look effective challenge; and incentives. at whether there is a cultural driver to any issues alongside specic fi testing of culture/behaviour that arise. t hey will consider whether a certain levers, cultural or behavioural root causes behind behaviour or set of behaviours caused an issue. issues will also be assessed (the same approach as t his focus on underpinning behaviours takes them for individual audits). t he deputy ceo was made the owner of the aberdeen asset Management n fi alised action plan for auditing culture which aberdeen asset Management look at culture across comprises 12 actions. t hese 12 actions will be the organisation, as well as considering culture as reported on at every audit committee meeting. part of individual audits within the audit universe, one of the main actions was for hr to create the latter being separately reported on in each enhanced appraisals with a clear link to reward, so individual audit. that the values framework was translated into job descriptions and objectives. internal audit identied fi t he overall audit of culture these as key tools for inu fl encing behaviour. as with any audit, they have designed specific audit integrating culture as part of every audit tests – drawing where they could from management information available to or used by management, as well as the overall audit, culture will be but also using their experience of past audit issues/ considered as part of other individual audits within themes and gut feel. f ollowing the performance of the audit universe and will be separately reported these tests they have facilitated workshops with the on in each individual audit. t he risk assessment of executive and non-executive teams. the audit universe will include a cultural heading and a judgement will be made. t hey are currently w ith the executives they debated root causes of the developing the criteria to be used as part of this issues. f or example, they looked at hr structures assessment but recognise it will need to include hard and reporting lines, n fi ding that the business had fact and gut feel, again ensuring they utilise their grown but the organisation chart had not evolved experience and knowledge of the organisation. sufc fi iently – a few people ending up with over 20 reporting lines. c ulture and the role of internal audit – looking below the surface Page 9transparency as part of their work. internal audit Mersey internal audit agency would also look at how the trust has changed how t he nature of internal audit in the health sector has they deal with complaints post-f rancis including changed following the various public inquiries and how issues are escalated to the board and how the nhs -wide reviews e.g. Mid staffordshire (f rancis) board is engaged through, for example, the use Public inquiry, the keogh r eview etc. of patient stories. internal audit asks and looks for evidence to show what the board does in response a concern which was raised in the keogh r eview to complaints handling. of 14 trusts with persistent outliers on mortality statistics was a signic fi ant disconnect between what internal audit looks at an array of targets and boards identied fi as key risks and issues within the indicators such as staff surveys, patient surveys, organisation and what was happening in wards and ‘never events’, ‘serious untoward incidents’ etc., departments. t he internal audit team at the Mersey but now do increasing amounts of work around internal audit agency has therefore piloted a survey what outcomes the board wants from those. t hey to assess this disconnect between board and ward also look at rotas and staff records etc. to build up level staff in relation to their perceptions around the a picture through joining the dots. w histleblowing five theme areas highlighted in the keogh r eview can be a useful area of evidence when coming to – patient experience; safety; workforce; clinical and judgements around culture but they are cautious as operational effectiveness; and governance can often be mixed up with grievances. and leadership. t he auditor now reports on their views on a lot of their audit work will include aspects observed behaviour that impacts upon the patient of culture but they have not undertaken audit experience. t his type of evidence needs careful assignments where that is the primary or single interpretation but they do now mention this in focus. f or example, when auditing complaints reports and would not have done before. they will be forming a view on openness and what they see and observe, and they challenge o ld Mutual Group each other to come to a consensus. t hey then t he organisation is focused on understanding explain how they came up with these scores with its culture and driving positive actions. in the the leaders of each business unit. last few years hr has administered a barrett t hese scores, along with the more detailed data survey (a cultural transformation methodology mentioned above and information from the risk devised by r ichard barrett) annually to do world, are consolidated by business unit and a values-based assessment. t he results are are then shared with the audit committee, the shared with internal audit. internal audit remuneration committee and the risk committee. use the results of the survey as a basis for understanding the business units they audit. it is about making an ‘educated judgement’ on a variety of factors that build up to an overall picture. in early 2014, the hia and chief risk ofc fi er t his is not as straightforward as auditing hard developed 50 criteria, based on areas the regulator controls as the hia needs to become much more focuses on, to evaluate the risk and control culture comfortable with shades of grey rather than black of each business in the group. t he criteria are or white. assessed subjectively by both of them. w hat works for one organisation may not t his assessment will be made every 6-12 months. necessarily t fi another organisation. t he scores they give are based on judgements on Page 10 c ulture and the role of internal audit – looking below the surfaceStakeholder feedback: Many internal audit tui travel plc functions allow management a written response ultimately the culture of an organisation reec fl ts the on n fi dings raised although they sometimes edit risk appetite and effectiveness of its board. it must it for the sake of brevity and factual correctness. provide a clear tone at the top and then ensure an at tui travel internal audit offers management effective system of control to enforce it. the opportunity to give unfettered feedback. Management’s ratings and comments are reported internal audit is a part of that system of control in full to the audit committee on a quarterly basis. and has the opportunity to play an active role in t he response rates and the feedback given provide helping ‘the tone at the top’ permeate ‘the mood a good insight into the prevailing culture. in the middle’. however to be successful internal audit often needs to undergo a cultural change Performance reporting: internal audit provides a of its own. to be trusted as an honest agent number of performance reports which help build supporting the board (driving its agenda) and also a picture of the engagement and effectiveness of line management (representing it fairly) it needs to individual managing directors. t hese include: develop its methodology and people. • t he timely closure of corrective actions (showing internal audit methodology should be ren fi ed to the performance on a rolling four quarters basis support the relationship it’s seeking to have with and highlighting best and worst performers). the organisation and, for this to work, it needs • t he appropriate authorisation of date extension to have the right people with the right skills – requests (showing that all requests have been competent, compassionate, commercial and, submitted to the cfo ). occasionally, courageous. • t he number of repeat requests (showing the number of times dates are changed, with more r en fi ements to the internal audit methodology at than twice indicating issues of commitment tui travel include: and/ or competence). engagement: at the outset of each audit, internal • c ompare and c ontrast reports (showing the audit advises management that at the end of the results of the same audit performed in different audit they will provide an engagement rating. businesses). in effect management can choose that rating by • t he r isk Management engagement & how they choose to interact with the audit team – effectiveness grid (showing the performance of openly or defensively. each Managing Director relative to their peers). • hit r ate & r oot c ause analysis (showing, for Context and Credit: audit reports can cause common control weaknesses, how many times resentment amongst management. internal the control was tested, how often it failed, how audit has developed standard mechanisms to badly it failed and why it failed). give ‘context where it’s useful and credit where it’s deserved’. knowing that the n fi al report will Staff surveys: internal audit has also added reec fl t the control environment fairly encourages questions to the annual staff survey that provide management to be open with internal audit about a heat map of good culture/ poor culture across the issues they’re facing. the group. containing about 70 questions. internal audit use l loyds of l ondon the survey to pinpoint what is not right and to internal audit has always had informal conversations identify where to conduct reviews. t hey will also about cultural aspects when auditing but it is assess the actions stemming from the survey results writing it down which makes it a challenge. to see what has and hasn’t been implemented. t hey have always audited people, process and t here is considerable use of co-sourcing in the technology. it is usually the people risk that causes organisation so the big 4 have the combination of issues. w ithin this they have assessed the ability of technical and people skills to audit cultural aspects. the people to do the job but have only raised this if the internal team make the assessment then it by exception and orally. now it is built into the has to be by more experienced/senior internal audit scope of every single audit. t he initial challenges staff, who have seen enough go wrong, to make a were around how to evidence it. more credible judgement. f rom Q1 2013, a big 4 r fi m has administered a cond fi ential annual people and risk survey c ulture and the role of internal audit – looking below the surface Page 11told by using a wider sample base than was the Bae Systems case previously and looking more deeply into any t he way that audit is viewed in the company is that matters arising. the business is comfortable with it. t he board, audit internal audit reports to the corporate responsibility committee, corporate responsibility committee committee as well as to the audit committee. a lot and senior management recognise and support of the cond fi ence the internal audit team has on the role of internal audit in auditing cultural issues. making judgements on cultural/ethical issues in their t his along with the company’s level of maturity in audits stems from the support these committees assessing risk and other helpful foundations such as give, particularly when subjective judgements are the audit charter (where responsible behaviour and being made. t he committees want to hear the views non – n fi ancial risk are explicitly picked up) make it of internal audit, knowing they may not be based on easier to conduct these audits. a wholly solid evidence base. t he team is trusted to t he majority of audits comment on cultural issues: be responsible by all concerned. c ond fi ence builds and for each audit there is a cultural checklist which with time and experience. n ot all comments on prompts audit managers to consider the ethical cultural issues will lead to a recommendation, they behaviour elements in their audits. t hey also try may just be observations. and dig beneath the surface of what they are being writing. some areas may need to be handled more 3i plc sensitively and possibly reported orally. one should c ulture is inseparable from much of the day-to- exercise careful judgement in what is committed to day work that audit does. operational risk is about a written report. people, processes and systems so you cannot standard audit reports provide an overall ignore behaviours and cultures in the audits that opinion on the management of the business you do. t he audit function has always taken these unit. as part of the rating system, they take people aspects into account but has done so with into account a number of factors such as increasing transparency, for example by recognising management’s ownership of risk, attitude to them as part of the control assessment ratings used control, response to previous audit n fi dings and for audit reporting. degrees of respect accorded to internal audit. t he hia would recommend that every audit team w hen internal audit report to the audit committee looks at what they are currently doing and for ways they look at outputs from various audits to report to make the assessment of culture and behaviours on themes and trends. taking account of culture more explicit in terms of outcomes and reporting. and attitudes is integral to this work. t he end of t his can be done in an incremental way without the year ‘state of the nation’ style report also provides need for a ‘big bang’ approach. high level comments on areas such as the ‘tone at Making these aspects more explicit does not the top’. necessarily mean communicating everything in Page 12 c ulture and the role of internal audit – looking below the surfaceappendix a ethical behaviour programmes Sectoral differences a number of global financial institutions have launched high-profile programmes focussing on c ulture can be at the root of problems in any ethical behaviour. f or instance, all 98,000 employees organisation in any sector. in the uk , however, there of Deutsche bank, about 13,000 senior bankers at are two sectors in particular – n fi ancial services and g oldman sachs, and barclays’ 140,000 staff have healthcare – where cultural crises have repeatedly been or are being taken through programmes aimed come under the spotlight at a systemic level, and at reinforcing codes, values, behaviour and a strong, these sectors have been the subject of numerous positive corporate culture. however, a survey by public inquiries and commissions in the last decade. 18 the economist intelligence unit of 392 financial t herefore, we will expand on the policy and regulatory services executives found that while large majorities developments in these sectors as they, more than agree that ethical conduct is just as important as most, have been buffeted by huge change. financial success at their firm, 53% also say that all this disruption has created a rare opportunity to strict adherence to such codes would make career transform the culture at every level in these sectors. progression difficult. f urthermore, the chief e xecutive t hese developments in turn have created a need for 19 of the f inancial c onduct authority (fca ) said that internal audit to support boards in monitoring and even though the majority of big banks and firms have assessing the success of cultural change programmes. change programmes in place, he has serious concerns that economic recovery will mean that investor pressure for growth stock will push cultural questions financial services to the back of mind. a number of commentators have noted that training we need a n fi ancial system for can only go so far. to encourage responsibility, the the 21st century. what do i mean overall business context has to be right. in a f inancial 20 t imes article , Dan o stergaard, Managing Partner of by that?... where culture is taken as integrity by Design, a swiss-based group that advises seriously as capital, and where the on culture change and ethical training, points out that if banks do not address organisational structure, ethos is to serve rather than rule including the whole process of recruitment, promotion, remuneration and how they take day-to-day business the real economy. decisions, the ethical behaviour programmes could be Christine Lagarde, Managing Director, International “an expensive dog-and-pony show”. 16 Monetary Fund t he question about the n fi ancial services industry in particular is whether the organisations within it can shift their cultures to become more customer-centric. 17 t he Parliamentary c ommission on banking standards said that banking culture has neither a sense of duty to the customer nor any sense to collective responsibility to maintain the sector’s reputation. 16 18 A New Multilateralism for the 21st Century: the Richard Dimbleby Economist Intelligence Unit, A crisis of culture – valuing ethics and Lecture February 2014 knowledge in financial services, November 2013 17 19 Changing Banking for Good, Parliamentary Commission on Banking Ethics and Economics, Martin Wheatley Financial Conduct Authority Standards, June 2013 speech 04 March 2014 20 Bankers back in the classroom, Andrew Hill, Financial Times, 16 October 2013 c ulture and the role of internal audit – looking below the surface Page 13r egulatory and public policy developments Standards of behaviour – structure as well as culture in n fi ancial services Proposals for a new organisation to t he economist intelligence unit highlighted the need raise banking standards to address organisational structure as well as culture. in May 2014, after consulting widely, sir r ichard it asserted that many of the n fi ancial institutions that l ambert outlined his plans for a new independent fared well in the global economic crisis adhered to a 21 voluntary body – the banking standards r eview partnership structure , suggesting that this structure c ouncil – to raise standards in the banking industry. is more effective at linking individual behaviour to t he body will be funded by banks, paying in corporate culture. proportion to their size. t he main intention is for banks according to the economist and journalist, t im to publish information annually on how they treat harford, incentives for deliberate wrongdoing are customers. good behaviour is to be judged from the 22 stronger in n fi ance . he says that even though customers’ perspective. it is hoped that the regular surgeons, airline pilots and nuclear plant operators pressure on banks will not just raise the standards of can and do make mistakes we can usually hope the worst lenders but mean that the whole sector is that they act in good faith. he thinks that no propelled into improving year after year. such hope exists in the n fi ancial system where 25 “the systemic consequences of bending the rules t he report says that the new body will require can pop up far away from the perpetrators and participating banks and building societies “to long after the prot fi s have been banked”. commit to a programme of continuous improvement under the headings of culture, competence and Most banks had codes of conduct in existence well in customer outcomes, and to report back on their advance of the onset of the n fi ancial crisis, and many of performance to the public every year”. t he metrics them also had corporate values on prominent display will, as far as possible, be drawn primarily from in their ofc fi es. Yet it would appear that the impact on internal reports, staff surveys, and interviews, their overall behaviour was negligible. and would be intended to show whether the Philippa f oster back, Director of the institute of r fi m’s culture was enabling good behaviour. business ethics, was quoted in the f inancial t imes under the heading of culture, the issues to be saying that leaders must remove what she calls the considered should include: “say-do gap” and that good conduct, for instance, • the extent to which the code of conduct was needs to be reec fl ted in rewards and bonuses in order understood by employees, and embedded to give weight to the idea that culture and values 23 into recruitment, induction, promotion and do really matter . t he Parliamentary c ommission 24 performance management; on banking standards report reiterated the • incentive structures; importance of elements such as remuneration. it • diversity; and said, “r emuneration has incentivised misconduct • the extent to which whistleblowing and other and excessive risk-taking, reinforcing a culture where policies encouraged employees to raise concerns in poor standards were often considered normal. Many the workplace. bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before 26 on the latter point, our report on whistleblowing the long-term consequences become apparent. t he highlighted the symbiotic relationship between potential rewards for ee fl ting short-term success have whistleblowing and an organisation’s culture whereby sometimes been huge, but the penalties for failure, effective whistleblowing arrangements are an often manifest only later, have been much smaller important part of a healthy corporate culture, but the or negligible. Despite recent reforms, many of these right organisational culture is also needed to encourage problems persist.” people to speak out without fear. we would suggest that these issues, along with those suggested by the f inancial stability board (fsb ) outlined in the box on the next page, should be part of 21 24 Economist Intelligence Unit, A crisis of culture – valuing ethics and Changing banking for good, Parliamentary Commission on Banking knowledge in financial services, November 2013 Standards, June 2013 summary 22 25 Adapt – why success always starts with failure, Banking Standards Review, Richard Lambert, May 2014 Tim Harford 2012; p.209 26 IIA Whistleblowing and Corporate Governance, January 2014 23 Bankers back in the classroom, Andrew Hill, Financial Times, 16 October 2013 Page 14 c ulture and the role of internal audit – looking below the surfaceinternal audit’s remit when auditing culture. examples it is worth noting that in its response to the fsb ’s of how these issues are considered by internal audit in consultation, iia global said that they felt the practice can be found in our examples in section c . consultation document was written with a slant towards risk avoidance. t hey added that, “risk r egulatory proposals for supervising n fi ancial culture should be about creating an environment institutions on risk culture where undertaking risk on behalf of the institution in april 2014, the fsb published its guidance on is done consistent with the management of risk supervising n fi ancial institutions on risk culture. it within tolerance levels approved by the board and recommends supervising the following elements: senior management”. t his point has been echoed by Professor Mike Power, lse, who believes that we need to ensure that the risk culture debate does not result in • tone from the top: t he board and senior 27 an organisation becoming more risk averse . management are the starting point for setting the n fi ancial institution’s core values t he fca has challenged n fi ancial services to change and expectations for the risk culture of the their culture with a dedicated and persistent focus. institution, and their behaviour must reec fl t the values being espoused. a key value that should be espoused is the expectation we expect r fi ms to have a culture that places that staff act with integrity (doing the right customers and market integrity at the heart of thing) and promptly escalate observed their business. c ulture is evidenced through non-compliance within or outside the the way r fi ms conduct their business, what organisation (no surprises approach). t he r fi ms expect of staff, and their attitude leadership of the institution promotes, towards customers. it is for r fi ms to determine monitors, and assesses the risk culture what culture is appropriate for them and to of the n fi ancial institution; considers the demonstrate that culture from the top down. impact of culture on safety and soundness; Source: FCA tackling serious failing in r fi ms; a response and makes changes where necessary. to the Special Measures proposal of the Parliamentary • accountability: r elevant employees at all Commission on Banking Standards, June 2014 levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution’s risk-taking behaviour. staff acceptance of risk- related goals and related values is essential. • effective communication and challenge: a sound risk culture promotes an environment of open communication and effective challenge in which decision-making processes encourage a range of views; allow for testing of current practices; stimulate a positive, critical attitude among employees; and promote an environment of open and constructive engagement. • incentives: Performance and talent management encourage and reinforce maintenance of the n fi ancial institution’s desired risk management behaviour. f inancial and non-n fi ancial incentives support the core values and risk culture at all levels of the institution. Source: Financial Stability Board Guidance on Supervisory Interaction with Financial Institutions on Risk Culture – A Framework for Assessing Risk Culture). April 2014 27 Centre for Analysis of Risk and Regulation, London School of Economics, Risk Culture in Financial Organisations, Mike Power, Simon Ashby, Tommaso Palermo, November 2013. c ulture and the role of internal audit – looking below the surface Page 15in a speech to the c hartered f inancial analysts society 3. Performance management and rewards 28 c live adamson, Director of supervision at the fca Positive behaviours can easily be undermined explained the areas to be monitored as follows: by performance management systems that only reward tangible outcomes, n fi ancial performance 1. tone at the top and prot fi . we have seen in n fi ancial services tone at the top refers to the atmosphere created how high-risk incentive schemes drive sales staff by the leaders of the organisation. w hatever tone to earn bonuses at the expense of customers the board and senior executive set it will have a and the organisation’s reputation. Performance trickle-down effect on managers and employees. management must therefore be balanced to f or example, if the tone upholds ethical behaviour reinforce corporate values, expectations and and fair customer treatment employees will be maintenance of the den fi ed risk culture. more inclined to adopt the same values. however, if t his extends beyond simple questions of rewards. the organisation’s leaders are solely concerned with it includes questions of who and what roles are the bottom line, employees will be more prone to valued or regarded to be in the ‘in crowd’, who is take bigger risks to earn more prot fi , with little or highlighted by the ceo and senior executives for no regard to customers. t his means tone at the top doing a good job, who and what is mentioned is not simply about what you say in your mission in staff magazines, which managers get offered statement and sales literature it’s about actions interesting development opportunities, as well as or lack of actions. in short, people will generally who gets promoted. r egulatory requirements for mirror the actions of their leaders, what they notice appropriate remuneration and incentive schemes their bosses are encouraging or accepting as well that take a longer term view are likely to inu fl ence as their reactions to events (which may include the organisation’s risk taking culture going forward. irritation or indifference). as such the whole way leaders conduct themselves will signic fi antly impact t he Prudential r egulation authority (Pra ) for its organisational behaviour and culture. 29 part issued a statement of Policy which says that it expects r fi ms to have a culture that supports their 2. Business practices prudent management. t he Pra does not have any w hile the tone at the top goes a long way to ‘right culture’ in mind, rather it focuses on whether clarifying expected attitudes and behaviours boards and management clearly understand the these expectations have to n fi d their way into circumstances in which the r fi m’s viability would be everyday business practices and decision making. under question, whether accepted orthodoxies are in particular driving the way unexpected problems challenged, and whether action is taken to address and events are managed so that ‘the way things risks on a timely basis. t he Pra wants to be satised fi are done around here’ is applied when anything in particular that designated risk management and unusual happens as well as in normal routine control functions carry real weight within r fi ms. circumstances. t he point here is that, although board members and senior executives may think that good advice is being given to customers and that complaints and issues are being handled in the right way, this may not be happening on the ground. t his is why assurance over customer complaints handling is essential for providing signic fi ant insights into the culture of an organisation (i.e. taking an ‘outside in’ approach). 28 29 Clive Adamson, Director of Supervision at the FCA, speech to the The use of PRA powers to address serious failings in the culture of Chartered Financial Analysts Society, April 2013 firms, Prudential Regulation Authority, June 2014 Page 16 c ulture and the role of internal audit – looking below the surfacet he Pra identie fi s serious failings in culture through its Patient-focused healthcare normal supervisory activity. t hese may include: and measuring culture • evidence of a poorly functioning board that the growing interest in patient-focused healthcare in fails to challenge executives or take a lead in the nhs , especially in the wake of high-prolfi e failures consideration of conducting business in a safe going back nearly as far as the inception of the health and sound manner; which can include setting, service, has underlined the need to measure and then articulating and embedding an appropriate change culture, especially in hospitals and care settings. culture in the firm, and drawing up clear policies a key theme from the Mid s taffs seminars, which and guidelines that are linked to staff objectives, formed an important part of the Mid staffordshire training, evaluation and incentives. 31 Public inquiry , was that the prevailing culture in • evidence of weak control areas such as risk, nhs t rusts has a strong influence on the quality compliance and internal audit that may indicate of patient care and experience. it said that there poor management, lack of resource, or insignic fi ant is surprisingly little focus on measuring culture representation at board level. despite the significance attributed to it. t he report highlighted that: • evidence of other weaknesses in board or senior management behaviour and inu fl ence on r fi m • hospitals are complex organisations that often culture, including incentives and their adherence to contain a multiplicity of cultures where some the r fi m’s values. wards/services are at odds with the norms and behaviours expected; and healthcare • c linicians and managers may intuitively know that there is a problem in part of the organisation but t he culture in financial services is aiming to lack evidence to pinpoint the nature of it because become more client-centric. similarly, the nhs is the trust performance information may not attempting to reorient its culture to become more highlight the problem areas. patient-focused following a number of scandals and on quality culture, Professor sir ian kennedy said, “it inquiries over the years ranging from bristol to Mid is difc fi ult to measure culture in healthcare. but it is staffordshire. Professor sir ian kennedy, author of possible through good use of data and interrogation numerous health-related public inquiries told us: “t he of that data. once measures are in place you have to leaders need to create a set of values that need to be decide the range of acceptable performance. t hen that of the service not of the professional group”. t his you need to collect both qualitative and quantitative sentiment was reiterated by sir r obert f rancis Qc information to tell you if there are deviations”. but when announcing his findings and recommendations therein lies the difc fi ulty. t he ability to pick out the of the Mid staffordshire Public inquiry. he said that essential information from the blizzard of noise is key an institutional culture which put the “business of to getting more reliable indicators of what is going on. the system ahead of patients” was to blame for the failings surrounding the t rust. Professor sir ian kennedy relates culture to values, which is a theme we hear in all sectors. Perhaps unique 30 to the nhs , he adds : “t he culture of a hospital is ordinarily set by the c hief executive and his senior team. Despite its signic fi ance in terms of its legal responsibility, the culture historically has rarely been laid down by the board… the board is the only real mechanism for holding the executive to account”…”the history of things going wrong in the nhs is often a history of an executive not being held properly and effectively to account”. 30 31 Kennedy Review of the Response of Heart of England NHS Mid Staffs Public Inquiry, Report from the forward look seminars, Foundation Trust to Concerns about Mr Ian Paterson’s Surgical November 2011 Practice, December 2013. c ulture and the role of internal audit – looking below the surface Page 17r egulatory developments in healthcare t he c are Quality c ommission (c Qc ), the independent regulator of all health and social care services in england, will assess leadership, culture and governance in their inspections from april 2014. t he aim is to enable the c Qc to identify the key leadership behaviours and values that should be assessed so that they can determine whether trusts have the appropriate leadership in place to ensure they are performing effectively and improving. t he health select c ommittee, in their most recent 32 report on the c Qc , urged them to develop the assessment to go beyond simply measuring board level governance practices, and properly assesses whether a culture of openness and challenge exists amongst front-line staff. t he c ommittee said that assessing both the number of concerns raised by staff members and the way in which those concerns have been addressed would serve as a useful proxy by which regulator can begin to measure the culture of an organisation. our example on the Mersey internal audit agency shows how this directional change in regulation is having an impact on the way internal audit approaches its assessment of culture. 32 Health Committee - Sixth Report 2013 accountability hearing with the Care Quality Commission, January 2014 Page 18 c ulture and the role of internal audit – looking below the surface c ulture and the role of internal audit – looking below the surface Page 19about the c hartered institute of internal auditors f irst established in 1948, we obtained our r oyal c harter in 2010. we are the only professional body dedicated exclusively to training, supporting and representing internal auditors in the uk and ireland. we have over 8,000 members in all sectors of the economy including private companies, government departments, utilities, voluntary sector organisations, local authorities and public service organisations such as the n ational health service. Members of the c hartered institute of internal auditors are part of a global network of 180,000 members in 190 countries. all members across the globe work to the same international standards and c ode of ethics. o ver 2,000 members of the institute are c hartered internal auditors and have earned the designation c Miia . 800 of our members hold the position of head of internal audit and most ftse 100 companies are represented amongst the institute’s membership. www.iia.org.uk chartered i nstitute of internal auditors 13 abbeville Mews 88 clapham Park r oad l ondon sw 4 7bX tel 020 7498 0101 fax 020 7978 2492 email infoiia.org.uk © July 2014 c ulture and the role of internal audit – looking below the surface