the public sector culture conundrum - The Institute of Internal Auditors

0 downloads 135 Views 597KB Size Report
Public service — whether in federal, state, regional, or local government .... The ACGA was established to provide pub
KNOWLEDGE BRIEF

THE PUBLIC SECTOR CULTURE CONUNDRUM Attitudes and Practices According to The IIA’s 2016 Global Pulse of Internal Audit survey (Pulse), only 24 percent of public sector internal auditors reported that their internal audit departments audit culture. Among the 76 percent of public sector internal auditors that DO NOT audit culture, the top reasons given are lack of support from executive management, lack of time, and lack of competencies (skills and knowledge). This is consistent overall with the response of internal auditors across all types of organizations. What do public sector internal auditors have to say about their level of understanding about culture, and that of management and the board? A clear majority (84 percent) strongly agree/agree that their internal audit department understands risks associated with organizational culture. However, only:



Sixty-one percent strongly agree/agree that executive management understands risks associated with organizational culture.



Fifty-eight percent strongly agree/agree that the board/audit committee understands risks associated with culture.



Fifty-two percent strongly agree/agree that their internal audit department understands how to audit culture.



Fifty-two percent strongly agree/agree that their internal audit department understands how to report on culture.

Those numbers overall are not significantly different from what was reported by internal auditors in publicly traded or privately held organizations. However, public sector internal auditors face unique challenges when compared with internal auditors in publicly traded or privately held organizations. But first, on the positive side, although only a minority of public sector internal auditors DO audit culture, they have adopted leading practices: www.theiia.org/ACGA

SUMMARY Auditing culture can be challenging for internal auditors in all types of organizations, but issues with the public trust and political environment make it particularly challenging for internal auditors in the public sector. Following established guidelines can help.



Culture should be included in internal audit’s risk assessment. According to Pulse, among public sector internal auditors who audit culture, the No. 1 reason for doing so is that culture was rated a high risk by internal audit.



As articulated by IIA Global Chairman Angela Witzany, “Auditing culture must be incorporated into every audit engagement, providing the organization with a baseline for continuous monitoring and enabling internal auditors to look for early warning signs.” Among public sector internal auditors who audit culture, culture is most often incorporated into several or all engagements rather than in a standalone engagement.

Despite these leading practices, what are the unique challenges faced by internal auditors in the public sector?

Public Trust and the Political Environment Public service — whether in federal, state, regional, or local government, government agencies, or other government entities — is a public trust. Public officials who lead public sector organizations, whether appointed or elected, and public sector employees are typically by law held to high standards of ethical conduct. For example, in the United States, federal employees must adhere to the Code of Federal Regulations (CFR) Title 5, Part 2635-Standards of Ethical Conduct for Employees of the Executive Branch. Issues covered in Page 1

The Public Sector Culture Conundrum

5 CFR 2635 include gifts from outside resources, gifts between employees, conflicting financial interests, impartiality in performing official duties, seeking other employment, misuse of position, and outside activities. U.S. states have similar ethics laws. It is considered a best practice for organizational codes of conduct to require employees to report their awareness of any noncompliance in the organization. However, the game is upped for public sector employees.



Where internal auditors in publicly traded and privately held organizations might typically report matters of noncompliance to the board, 5 CFR 2635, for example, requires employees (which would include internal auditors) to “disclose waste, fraud, abuse, and corruption to appropriate authorities.”



Internal auditors in publicly traded and privately held organizations might typically report executive misconduct to the board, which may be able to handle the matter quietly. Public sector organizations typically do not have such boards, and internal auditors are faced with reporting to government agencies or authorities, increasing the likelihood that such reports will be a matter of public record.





Where violations of publicly traded and privately held codes of conduct might result in disciplinary action by the organization, violations of U.S. federal and state ethics laws may result in criminal prosecution. Public sector internal auditors may face retaliation when their actions or reports conflict with an agency head’s political agenda.

In addition, it is a widespread belief that organizational culture starts with values, and that toxic cultures result when individual values or the espoused values of the organization are not reflected in the actual culture of the organization. For public sector internal auditors to be able to audit culture, the values and culture of the public sector organization itself have to support them doing so. Eighty-seven percent of public sector Pulse respondents indicated that their organization has a set of stated core values. However, only 17 percent of public sector internal auditors strongly agree that their organization’s core values are reflected in the actual culture of the organization. This is significantly lower, compared to internal auditors in publicly traded or privately held organizations. www.theiia.org/ACGA

It is against this backdrop that public sector internal auditors face the challenge of auditing culture.

What Can Internal Auditors Do Now? IIA CEO and President Richard Chambers advises that while we all live amidst the culture of our companies, we do no one a favor by sitting by and watching the company’s culture damage its value and brand. We must be willing to throw flags, if necessary. IIA Standard 2110: Governance states that among other things, “the internal audit activity must assess and make appropriate recommendations to improve … the organization’s governance processes for promoting appropriate ethics and values within the organization.” And Standard 2110.A1 specifies “The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.” So, what can public sector internal auditors do now? The desired organizational culture is established at the top. The June 2016 Internal Auditor magazine article “The Toxic Leader” explains how and why internal auditors should be on the lookout for damaging leadership styles that can create unhealthy corporate culture. For internal auditors in U.S. public sector organizations, use the U.S. Department of Justice (DOJ) guidance on the “Evaluation of Corporate Compliance Programs.” This guide provides important topics and sample questions that the Fraud Section has found relevant in assessing organizational compliance and ethics programs. In addition to fraud, the topics and questions can be applied to a broad range of ethical issues.

Page 2

The Public Sector Culture Conundrum

U.S. DOJ Evaluation of Corporate Compliance Program Topics 1.

Analysis and Remediation of Underlying Misconduct.

2.

Senior and Middle Management.

3.

Autonomy and Resources.

4.

Policies and Procedures.

5.

Risk Assessment.

6.

Training and Communications.

7.

Confidential Reporting and Investigation.

8.

Incentives and Disciplinary Measures.

9.

Continuous Improvement, Periodic Testing, and Review.

10. Third Party Management. 11. Mergers and Acquisitions (M&A).

Other recommended actions include:



Whether working for a U.S. or non-U.S. organization, obtain high-level knowledge of the jurisdiction’s ethics laws and standards of conduct.

 

Fully understand the organization’s culture.

 

Incorporate some aspect of culture in every engagement.



www.theiia.org/ACGA

Apply established risk/governance frameworks to assess the organization’s culture. Overall, consider a comprehensive list of culture-related factors: o Alignment of actual organizational behavior with the organization’s stated core values. This information might be collected by employee opinion surveys or interviews. o Culture-related training. o Compliance issues. o Human resources practices (e.g., incentives and enforcement measures). o Soft skills, (e.g., competence, trust, openness, transparency, and leadership). o Hot-line, helpline, or “speak-up” arrangements (e.g., usage rate, types of issues, resolutions). Establish culture metrics and continuously monitor.

Page 3

ABOUT THE ACGA Established in 2014, the American Center for Government Auditing (ACGA) is a specialty offering of The IIA for government auditors in the United States. The ACGA was established to provide public sector auditors with low-cost, high-quality professional development; networking opportunities for knowledge sharing among public sector stakeholders; and ongoing, timely, and relevant reporting on trends, benchmarking, and thought leadership in the audit profession.

ABOUT THE IIA Established in 1941, The IIA is an international professional association with global headquarters in Lake Mary, Fla., USA. The IIA is the internal audit profession’s international standard-setter, sole provider of globally accepted certifications, and principal researcher and educator.

DISCLAIMER The ACGA and The IIA publish this document for informational and educational purposes. This material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The ACGA and The IIA recommend that you always seek independent expert advice relating directly to any specific situation. The ACGA and The IIA accept no responsibility for anyone placing sole reliance on this material.

COPYRIGHT Copyright © 2017 The Institute of Internal Auditors. For permission to reproduce, please contact The IIA at [email protected]. Global Headquarters The Institute of Internal Auditors 1035 Greenwood Blvd., Suite 401 Lake Mary, FL 32746, USA Phone: +1-407-937-1111 Fax: +1-407-937-1101 acga.theiia.org