Source: Culture and Conduct Risk: Elevating Internal Audit’s Role - Deloitte Center for Board Effectiveness - Audit Committee Brief, June 2017 (download)
Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots, unknown risks, and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct.
What IA functions are doing to equip themselves to address the risk of misconduct and their organizations’ overall risk culture was the focus of a recent discussion hosted by Deloitte with IA leaders in the banking and securities sectors. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.
Following are a number of questions raised during the session, with a discussion of IA’s role in identifying gaps in an organization’s approach to risk culture and conduct risk.
Q: How can IA measure culture and help identify key drivers?
A: A sound governance framework should help drive a positive culture that makes compliance and ethical behavior a responsibility for every employee, at all levels. Rather than measuring or providing an opinion on culture, IA is increasingly including substantive testing of culture, holding a mirror to the organization on what staff have shared confidentially across each individual audit, and across multiple audits across the organization. As the third line of defense, internal audit provides an independent and end-to-end view on how those at the first line (business units) are encouraging and promoting the appropriate culture, and how the second line (risk and compliance) is monitoring and challenging the organization to keep on the right path.
Q: How do values and branding relate to risk culture?
A: An organization’s values provide a clear expectation of how staff at all levels are expected to behave. This messaging is reinforced by external branding, and to some extent by the employee value proposition. The alignment of all of these organizational artifacts is important. If organizations are inconsistent in setting or reinforcing expectations, staff may be tempted to satisfy increasing work pressures by taking the path of least resistance.
related training delivered online. In many organizations, the rituals of completion often include a degree of skipped content, multi-tasking while content plays out, or asking colleagues to source correct answers. This type of behavior perpetuates a check-the-box mindset that compliance should seek to avoid.
While the organization can demonstrate an efficient delivery of the training, the retention of knowledge may be questionable. Increasingly, organizations are adopting scenario-based learning programs that move away from binary responses and instead seek to simulate real-world challenges and complexity.
Q: Are there consent orders that specifically focus on culture?
A: Currently in the United States, most consent orders are focused on conduct risk and how conduct is identified and managed across capital markets businesses and other parts of the organization that might share similar characteristics and be subject to similar misconduct. However, all regulators stress the importance of culture as a driver of conduct. In the U.S., Financial Industry Regulatory Authority has been conducting targeted exams, known as “sweeps,” on how firms establish, communicate and implement cultural values, and whether these are guiding appropriate business conduct.
The Federal Reserve Bank of New York, the Financial Conduct Authority in the U.K., and the Australian Prudential Regulator Authority are all focused on culture as a key priority. Across the Asia-Pacific region, regulators have issued consent orders that include a focus on culture where it is identified as a primary driver of regulatory concerns.
Q: How does the IA function typically audit culture and conduct?
A: Organizations use an array of approaches to audit culture and conduct, and most of these unfortunately provide only an aggregated measure of culture and fail to help leaders understand how their cultures either enhance or undermine the effective management of risk, conduct or compliance. From the conduct risk standpoint, IA tends to perform a systematic review on how conduct risk applies to each business, such as governance, policies, training, and controls across the first and second line, and what information is available to management to monitor incidences of misconduct. Internal audit can also use learnings in one business to challenge another business to consider other factors that have been problematic elsewhere and get assurance on relevance and mitigation. In addition, the IA function can review customer complaints and employee hotlines to gain insight into topics about which the business may not be forthcoming and to contrast data points.
With respect to conduct risk, an excessive reliance on testing existing controls might perpetuate organizational blind spots and could potentially result in misconduct passing unnoticed. IA functions are increasingly taking a more substantive approach to testing culture and conduct and using new frameworks, techniques and expertise, such as embedding specially designed culture assessment techniques into every audit. These techniques are typically designed by organizational psychologists to be reliably executed by IA teams through audit planning and scoping. They are designed to surface specific culture-related areas of concern and the resulting insights can enhance traditional assurance findings.
Q: What are some first steps that IA can take prior to an audit?
A: An anonymous survey can be a good approach to build a view of culture prior to audit activities. A better approach is to conduct face-to-face interviews or workshops to understand employee experiences and perceptions of culture. Some organizations combine these techniques, using a rolling survey to determine where face-to-face fieldwork conversations may be beneficial, as well as the focus of these conversations.