When I think about how the role of internal auditing is evolving, I am struck by the diversity of issues we address. Internal auditors deal with an ever-expanding portfolio of challenges that encompass operational risk, strategic decision-making, compliance, technology vulnerabilities, security threats, fraud prevention and detection, environmental risks, disaster preparedness . . . the list goes on and on.
Even once-unthinkable subjects like corporate culture are now subject to audit. This is as it should be. We can’t deliver fully effective risk-based audit services if we ignore critical issues, such as a toxic corporate culture.
But I wonder sometimes how comfortable we are when internal audit tackles a new challenge. For the tasks we deal with regularly, we have a robust body of professional guidance. And we can call upon more experienced colleagues to help us ensure our work is efficient and effective. For newer types of audit, however, less help is available, and it can be difficult or impossible to locate appropriate and specific guidance.
That’s one of the reasons I was happy to receive a copy of a new report from the Chartered Institute of Internal Auditors in the United Kingdom. I believe their new publication, Culture and the Role of Internal Audit: Looking Below the Surface, helps fill an existing gap in the literature available to internal audit professionals on this important topic. Poor organizational culture has been identified as the root cause of recent scandals in the health, financial, and food sectors, among others. But until now, I have seen relatively little insight regarding how internal auditors should audit and report on culture.
There are few areas where authoritative insight is so badly needed by auditors. The use of intuition plays a role in the audit of organizational culture, but this is likely to take many auditors out of their comfort zone. We excel at dealing with hard facts and figures, but for comprehensive cultural audits, both qualitative and quantitative skills are needed.
Certainly, quantitative information about organizational culture is easier to deal with than the qualitative. Designing surveys about corporate culture is a simple task, for example. But while survey results can provide evidence regarding the existence of problems, surveys rarely get to the root cause of cultural issues. It’s easy to draw up a checklist to ensure codes of ethics and value statements are in place, but when the organizational culture has gone sour, the world’s best-written value statements and ethics codes are often ignored. A quantitative checklist approach to these audits can only go so far.
When we audit our organization’s culture, sensitive issues are involved. It can be challenging to report on these issues in ways that are both tactful and effective. Even the most senior internal auditors may find they need to develop new communication and relationship skills if they are to be change agents in this complex field.
The new U.K. report calls for internal auditors to:
Telling auditors to “trust their judgment” is good advice, but it might be advice that is difficult to follow. If you have not been involved in an audit of organizational culture (and I suspect relatively few of us have), I would be interested in knowing how comfortable you would feel about performing one of these audits and presenting the results to your stakeholders.
And if your organization has undertaken a comprehensive audit of corporate culture, I would appreciate hearing about the experience. The IIA’s motto is “Progress Through Sharing,” so please think of this as a place to share your ideas.