When I launched my internal audit career, the idea of auditing the “softer” side of an organization’s culture was anathema to the profession. Back in the day, it was believed internal audit should focus on hard controls, such as policies and procedures. If we strayed into any area touching on culture, we still focused on hard controls such as codes of conduct or human resources policies. Evaluating concepts as intangible as trust, ethics, competence, and leadership styles was something for psychologists and pop-culture gurus to worry about. In retrospect, a lot of heartache and failure across a multitude of organizations might have been prevented had internal audit taken on the full spectrum of culture 40 years ago. As it is, the concept has only gained broader acceptance among internal auditors and their stakeholders in the past decade. All I can say to that is, it’s about time!
Organizational cultures are complicated and trying to grasp how they develop and change is no easy task. Yet, we can get a basic understanding of conditions that exist in or contribute to poor cultures by understanding those conditions in healthy cultures. I always start with my simple definition of culture – “How things are done around here” – and asking the questions, “How should things be done around here?” and “How do we say things are done around here?”
This should be well within the comfort zone of any internal auditor. It is not difficult to find practices and protocols that are universally accepted as contributing to healthy cultures, e.g. codes of ethics, conflict of interest declarations, corporate governance codes, conformance to laws, regulations and organizational policies, equal and judicious application of rules, etc. By establishing a foundation of conditions that support healthy culture we can more easily identify the signs of weakened or eroded ones. For example:
There are telltale indicators of an eroding, or toxic, culture. For example:
A couple of years ago, I delivered a lecture on auditing culture to a conference of corporate board chairs in India. At the conclusion of my remarks, one of the board members stood up and made a comment that was truly profound. He shared his view that internal auditors should audit culture. However, he went on to note that we normally use our senses of sight and sound in conducting audits by physically observing evidence or interviewing individuals. He then observed that when auditing culture we also needed to leverage a sense of “smell.” He wasn’t suggesting that we could literally smell toxic cultures. Instead, he was suggesting that culture can be elusive when it comes to audit. All of the hard controls can be present, but “how things are done around here” can be very different.
I often encourage CAEs who seek my advice to ease into auditing culture. The first step should be to assess the effects of culture in every audit engagement. We are already compelled to identify the cause in any findings our audit produces. It’s easy to lay blame on superficial causes (e.g., lack of training or resources) when hard controls are inadequately designed or implemented. However, if we dig deep enough, we might find that ah-ha moment when we smell something and realize that the organization’s culture is to blame. For example, we might discover that compensation is based upon the number of contracts award rather than compliance with corporate policies, resulting in sole-sourced acquisitions. The end to justify the means is at the root cause of a number of high-profile corporate scandals and, ultimately, the demise of its culture.
If culture is found to be a root cause for any risk management or control failures, it should be included in individual conclusion findings in the final engagement report. This approach introduces and nurtures a keen awareness of culture for all members of the engagement team. While culture will likely not be identified as the root cause in every engagement, it may be identified as something that masks or exacerbates deficiencies observed. As multiple audits are conducted that identify culture as a root cause, it may be time for a capstone or theming report highlighting the trends noted regarding culture.
Culture clearly presents risk in organizations. Driven by either a genuine concern about culture’s impact on the organization or increased pressure from regulators and the investor community, more boards and senior managers are grasping the need to understand and monitor “how we do things around here.” Internal audit can be a leader in that movement or allow stakeholders to direct how we do the work. I believe we cannot allow the latter to scenario to take hold. We must lead the movement by embracing the challenge and developing the skills to audit the “soft” as well as the “hard” side of culture.
I welcome your thoughts on auditing culture.
I start mentioning what you said: “it’s about time!”. Although culture is somewhat intangible and difficult to define, a positive workplace culture is undeniably an essential element of any successful organisation. Internal Audit could include an element of culture into every risk-based audit using a testing program, survey or both.