IIA issues requirements for organizational behavior

The Institute of Internal Auditors has released its latest "topical requirement," this time on organizational behavior as part of a company's culture.

The IIA has previously released two other topical requirement documents, on cybersecurity and third-party relationships. The organizational behavior guidance deals with the human side of risk, including the observable actions, decisions and interpersonal dynamics of individuals and groups within an organization. 

"Misaligned behavior can prevent organizations from achieving strategic objectives, fulfilling stakeholder expectations, and complying with regulatory standards," said the IIA. "The Organizational Behavior Topical Requirement provides a minimum baseline and consistent, comprehensive approach to help auditors assess the design and effectiveness of control processes related to behavior."

The document offers guidance to help internal auditors review how behavior is overseen in the organization, how behavior-related risks are identified and addressed, and whether the structures in place, such as controls, incentives and accountability, encourage people to act in ways that support the organization's goals.

"We're looking at the organization's ability to respond to risk and the behavioral patterns in response to risk," IIA president and CEO Anthony Pugliese said during a recent podcast with Accounting Today. "Things like empowerment from upper management all the way through the organization and things like that. Making sure that there was an understanding that the organization when faced with a risk would be able to have a response that made sense by virtue of its culture, its risk tolerance, stated risk levels, all those kinds of things."

The next topical requirement will focus on organizational resilience, dealing with risks that could significantly disrupt or impair an organization's ability to deliver its core products and services, maintain stakeholder trust, or meet its strategic objectives. That includes natural disasters, public health crises and other disruptive risks. It's expected to be released next year.