The COSO defines Internal Control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.” It further defines Control Environment as – “The control environment is an organization’s culture, beliefs, and values. It includes the integrity, ethical beliefs, and competencies of its people, which are visible in management’s operating style, how management assigns authority and responsibility, and how management organizes and develops its employees. Another indication of the control environment is the degree of involvement from its board or directors.”
In other words, Organization Culture is the sum total of the psychology and attitudes which are communicated by the leadership team to the employees and the ethics, values and beliefs which are incorporated for execution of work and obtaining business objectives. Now that connections between internal control, control environment and organization culture are clear; the next question is what is the impact of organization culture on internal controls?
Let us understand the constituents of organization culture and drive the impact on internal controls.
Leadership: Organization culture is defined by the leadership of the organization. The CEO is the torch-bearer of organization culture. The mission, vision and strategy communicated by the senior management is the glue which holds the organization together and moves everybody in the same direction. Lack of clear direction, frequent and abrupt changes and arbitrary decisions in mission, vision and strategy contribute to the negativity in the organization culture. This also results in various departments having different work cultures and working in a counter-productive manner. This directly impacts the efficiency and effectiveness of business operations. Depending on the level and clarity of leadership communication, the organization at a macro level may be in high, medium or low risk as depicted in the adjoining chart.
Ethics: Business ethics show in all aspects of business conduct, from the board room strategies to the front desk personnel. It goes beyond legal requirements, and shows whether business is conducted on values of integrity, honesty and fairness. It shows whether employees at all levels are able to walk the talk. A clearly defined and implemented code of conduct improves the organization culture. However, an organization which has not implemented a code of conduct may have a negative organization culture. In such a case, decisions are taken arbitrarily, organization lacks transparency and may disregard laws and regulations to achieve profitability. Commitment to follow the business ethics, reflect whether organization has high, medium or low compliance risk. High compliance risk raises questions on reliability and authenticity of financial statements.
Attitudes & Beliefs: The psychology and behavior shown throughout the organization by the employees for doing day-to-day operations reflect the organization culture. Organizations show healthy attitudes where employees are rewarded on performance, there is lack of discrimination due to age, race, color and gender and there is minimal harassment and workplace aggression. Organizations having aggressive work cultures, which are number driven and lack humanity, impact the control environment negatively. In such cases, for the sake of efficiency, legal requirements are compromised. Carried to an excessive stage, the organization may become unsafe for work and/or shareholder investments. The control environment is such cases maybe seriously impacted, as there is strong alignment towards unhealthy and corrupt business practices.
The above mentioned three aspects clearly indicate that organization culture has a significant impact on control environment of the organization. An internal control auditor would benefit from understanding and assessing the organization culture. An organization risk appetite, philosophy, and exposures can be determined while analyzing the organization culture. A risk dashboard and/ or internal audit program should be developed keeping the organization culture in mind. An internal audit report must mention the impact of organization culture on internal control environment and the risks the organization is exposed to, due to negative or unhealthy organization culture. Recommendations should be given to improve and build a healthy organization culture.