Download the full report (pdf)
Boards and senior management have the prime responsibility for defining and analysing organisational culture by promoting the values and the behaviours they wish to see across their organisations.
Boards need assurance that a culture of learning from mistakes, rewarding the right behaviour and systems and processes that produce the desired behaviours are being embedded across their organisations. A statement of values is not sufficient on its own; boards need to know that ‘espoused’ values are the same as actual values on the ground. Providing assurance to boards around values on the ground, however, is just part of the picture as culture is not merely the articulation of an organisation’s values.
The use of gut feel can play a part in the audit of culture but in the digital age, assurance providers can make much greater use of hard as well as soft indicators to reduce the subjectivity of their findings. Data from internal reporting systems can be aggregated and used to identify trends and reveal issues of which the board may be unaware. The emergence of ‘big data’ provides scope for internal auditors to develop specific skills and work with data analysts to provide insight.
Who owns culture in an organisation is an issue that boards and senior management need to resolve. It is unclear, otherwise, whom board committees charged with cultural issues should turn to for advice and guidance.
Internal audit is one of the assurance providers that boards and senior management have turned to with some success; but there is still a long way to go. The positioning and reach of internal audit and the ability to ‘tell it how it is’ are as important as the ability to audit cultural issues. Its role as the inside-outsider is the key to success when providing culture assurance. But audit committee members and senior executives must be open to the idea that, at present, there may be less hard evidence compared to more traditional audits and accept the likelihood of grey areas with differences of opinion. This may entail a change in culture and behaviour at the audit committee itself.
Done well, internal audit has a key part to play in assuring boards around culture. But this should not be confused with the idea that internal audit should be the board’s sole assurance provider. This is because internal auditors need to have much more than the traditional skillset to succeed in this area. Furthermore, others have a role to play in embedding and assurance. It is critical for internal audit to have strong relationships with other functions across the organisation.
The approaches to providing assurance around culture are evolving: and some promising examples of new approaches are beginning to emerge. But this is the beginning, rather than the end, of the process. Internal auditors, like all other functions involved in the management and governance of organisations, have much to learn if a step-change is to be achieved. For its part, the Institute is committed to supporting the collective effort.
Against this backdrop, there is much work to be done – for internal auditors, for audit committees and boards, for senior management teams, and others. In particular, we recommend:
In November/December 2015, we conducted a survey of heads of internal audit (HIAs) from all sectors of the economy, to collect factual data on the extent to which the profession is involved in auditing culture; the methods they are using; who else they are working with; and how they are reporting on issues raised.