Are boards and internal auditors focusing enough on corporate culture and are they taking it as seriously as they should be? This is the fundamental question behind the Chartered IIA’s recent publication “Cultivating a Healthy Culture”. Despite good work in some organisations, the answer in too many others is obviously not. Internal audit has a clear role to play in helping businesses to understand more about why culture is a critical risk to their security and sustainability and what they can do about it.
Culture is not a new concern for internal audit, but the Covid pandemic has caused deep shifts in our society and in the wider economic environment that have both highlighted the value of a strong corporate culture and created circumstances that can weaken or change established cultures.
Remote and hybrid working, long-distance staff induction, perceived inequalities in the impact of Covid on various minorities, new divisions created by the way in which the pandemic affected the young and the old, the wealthier and the poorer and office workers and those who cannot work from home all affect culture. Different experiences of illness and varying degrees of vulnerability to the disease have changed people’s outlooks. Some have reassessed their priorities and expectations, while the rising cost of living is creating new stresses and temptations.
Covid is not the only driver of change. Organisations are also coming under increasing pressure from wider society to ensure that their corporate culture embraces and supports greater levels of equality, diversity, and inclusion (EDI). Media headlines highlighting problems, such as the recent racism scandal at Yorkshire County Cricket Club, shine a spotlight on the risks associated with an unhealthy workplace culture and on the strong links between corporate culture and EDI. And, while much of the debate focuses on the risks, there are great opportunities – organisations with healthy cultures tend to perform better and be more resilient.
This issue is rising up the agenda. The institute’s most recent “Risk in Focus” report found a 35 per cent year-on-year increase in the number of chief audit executives (CAEs) who cited organisational culture as a top five risk. Internal audit teams that have been confident in the past about their corporate culture should therefore be assessing and monitoring potential changes, while those who have not paid it much attention before should do so now – urgently.
The research behind the new report found that the risk areas with the most impact on corporate culture are human resources, talent management, recruitment and retention; inclusion, equality and diversity; and health, safety and staff wellbeing. Over 70 per cent of CAEs questioned believed that their boards had established and articulated the culture they want in their organisation, however over half had not been asked by either the board or audit committee to provide reports on culture and/or inclusion, equality and diversity initiatives.
The Chartered IIA’s internal audit codes of practice make it clear that the risk and control culture of the organisation falls within internal audit’s scope. However, “risk culture” is only one aspect of organisational culture, and internal audit functions should also encompass other important aspects of organisational culture within their work.
Many culture risks are also closely interrelated, so when internal auditors plan an audit of another business-critical risk area, it’s important to ask whether they should examine the potential impacts these risks could be having on the overall organisational culture – and vice versa.
Some aspects of organisational culture involve psychology and understanding how and why people behave the way they do and how they perceive the culture in their workplace. Do people feel like a valued member of the team, are they confident about speaking up if they are concerned about something – and do they believe they will be listened to? This is known as “psychological safety” and it’s an important indicator of an organisation’s culture, especially when it comes to issues around equality, diversity and inclusion.
Other elements of culture involve collecting accurate data – from staff surveys, results of investigations, whistle-blowing hotlines, etc. This is essential to track cultural changes and raise red flags. Once internal auditors have access to this data, they need data analytics tools to make sense of it and identify risk areas to examine more closely. Some internal audit teams have created dashboards of live metrics that they monitor continuously.
The focus on organisational culture is likely to continue to grow, so it is vital for internal audit functions to monitor, assess and provide independent assurance in this space. Those that haven’t already done so, should
start by reading “Cultivating a Healthy Culture” and having a conversation with the audit committee chairabout the risks – and opportunities – associated with corporate culture.
1 Having the right corporate culture – one that is aligned to the organisation’s purpose, values, strategy and vision for the future – is of fundamental importance to the success
and long-term sustainability
2 The corporate culture of an organisation also touches upon, and interlinks with, a wide range of business-critical risk areas. From a risk culture perspective, it can have a significant impact on the robustness of the risk management and internal control environment.
3 Boards, audit committees and internal audit should therefore be taking corporate culture, and the risks associated with a weak, poor or unhealthy culture, seriously.
4 Boards play a critical role in articulating, establishing and embedding corporate culture, ensuring it cascades through the organisation. It is vital to set the right tone from the top.
5 While the CEO has a particularly important role, the entire board is responsible for ensuring that corporate culture is promoted and embedded, monitored, measured and assessed regularly. This should include seeking independent assurance.
6 Internal audit must provide assurance that the first- and second-line business functions are embedding, monitoring and assessing corporate culture effectively.
7 Internal audit should independently monitor, measure and assess corporate culture, reinforcing the assurance provided by the first and second lines.
8 Internal audit must adopt a proactive approach
to its work on corporate culture, and not wait for the board or the audit committee to ask before it does something about it.
9 Internal audit functions that have concerns about organisational culture must speak to the board or audit committee. Equally, boards and audit committees should seek the support of their internal audit functions and ask for independent assurance over corporate culture.
10 Internal audit functions must have sufficient skills, resources and capabilities to audit
corporate culture and behaviour effectively.
11 Internal audit should tackle corporate culture audit work the same way as they tackle audit work in other business areas and “culture auditors” should be expected to have expertise and knowledge in this area.
12 Internal audit functions should consider whether members of the team need training to audit corporate culture, or whether they would gain value from hiring in expertise to support their work in this area. For example, many of the most mature internal audit functions have developed their work in this area by employing dedicated organisational psychologists or behavioural risk specialists.
This article was first published in May 2022.