Training insights: Introducing behavioural risk into audit assignments
Culture risk has become an important theme for internal audit over the past few years – first in response to high-profile scandals, then the financial crisis, and more recently in discussions about diversity and inclusion. The pandemic brought it to the fore again, with many people affected by remote working, reduced personal interactions and increased individual autonomy. These behaviour shifts led to significant cultural changes – positive and negative. More recently, sickness, workload pressures, talent shortages, increased staff turnover and inflation rises are all affecting teams.
Internal audit must be discerning about what aspects of culture it engages with. It needs to understand which issues management, HR and other functions are working on, and it needs to determine which problems create the greatest risk – across the organisation or in specific areas.
A “Behavioural risk” approach is important, because it can be easy to overlook problems within specific departments, or between departments, or in the way people behave in relation to specific risks. Problematic behaviour can be local, so it is often much harder to spot than a problem with the wider organisational culture.
This is why the Chartered IIA has introduced a new course entitled “Introducing behavioural risk into audit assignments”, which aims to help internal auditors at all levels to incorporate awareness of behavioural risk and its potential red flags into their day-to-day audit work.
“The problem is often less about overall culture than about the behaviour of particular people on a particular day in a particular room on a particular project,” explains James Paterson, former chief audit executive of AstraZeneca, who leads the course. “I also lead the Chartered IIA’s training courses on culture and root cause analysis and we regularly discuss the way internal auditors spot specific problem areas and patterns of behaviour by particular managers that create a disproportionate amount of risk. These often delay assignment delivery by causing arguments over facts and debates about the importance of issues and the urgency with which issues should be remediated.”
He cites a hypothetical example of someone in an IT team who has had an argument with their team manager and didn’t get a pay rise, so is planning to leave and is content to allow the company website to crash.
“This is not a general cultural risk – it involves the specific behaviour of a single person – but it could have serious consequences,” Paterson says. “We need to get better at recognising the ‘hairline cracks’ that lead to problems with individual behaviour. For example, a team that has a friendly, supportive culture may, when it’s under pressure, be reluctant to call out the person who doesn’t pull their weight, even if this causes potentially important risks.”
The effects of behavioural risk may be visible in, for example, a pattern of projects going over budget or leading to disappointing software upgrades, despite the presence of cultural
tools, such as staff questionnaires, indicating a broadly positive culture.
“You could say ‘we have a culture of disappointing projects’, but you need to look at what causes these disappointments.” Paterson says. “It may be that people fear raising a problem with the project in case their boss thinks they’re being negative, or for fear that they are seen to be a poor performer who can’t cope. Or they may think that flagging up problems will simply load them with more work and no additional resources to address it. Each of these ‘local’ issues can result in problems that have a huge cumulative impact on project success. These problems are often subtle and operate below the corporate risk radar screen.”
The course will therefore ask attendees to reappraise their attitude to culture and will draw their attention to warning signs that are frequently ignored. It’s aimed more at identifying behaviours that put processes, control activities and projects at risk than focusing narrowly on the risk of fraud or corruption.
It will encourage internal auditors to think differently and increase their awareness of red flags in all their audit work, and it will also be relevant to internal audit leaders, who can apply this heightened sensitivity when they attend steering groups and other meetings as observers.
“There’s often an ambiguity about the mandate of internal audit on a steering group – are the internal auditors there to look at the project status updates and open-action tracking, or also at the meeting dynamics?” Paterson says. “The good functioning of the steering group in its meetings is crucial to the good functioning of the project, so if you spot behavioural problems in the meeting, you should call
them out.”
“If you identify and call out the behavioural risks that you see all the time, you can join up the dots to make a bigger point with more impact,” he adds. “Raising concerns about individual behaviour – for example, if the chair of a committee has difficulty managing agenda items – may sound trivial. However, ongoing poor time-management results in less time to explore and resolve important risks. And when this happens, it can create a fault line that runs through the whole project and can cause problems in a range of ways.”
Because behavioural risk may highlight shortcomings in meeting management and strained relations between departments and other personal interactions, it requires even more tact and sensitivity from the internal auditors who spot it.
“It’s important to understand that thinking about behavioural risk is not about pointing the finger at one person and saying ‘it’s your fault’,” Paterson says. “The internal auditor’s role should be to help people to understand how behaviour emerges from a range of organisational and personal factors, and be able to highlight when a blind spot has arisen and make proportionate and constructive recommendations to ensure things work better in future.”
This is why the course not only helps participants to recognise what behavioural risk is, and how it may impact an organisation, but also to understand what they will gain from adding a behavioural element to audit planning and how to add a behavioural risk component into an assignment.
Case studies will enable people to discuss what they could do in specific situations to improve internal audit outcomes, explaining why behavioural risk matters to an organisation’s performance.
Just as a rain cloud may start in high mountains and only become a major problem when the storm breaks over the city on the plain, so behavioural risk may start as a personal clash between individuals, or lax management in a single team, but then escalate to create a much bigger problem.
This article was first published in September 2022.