Auditing culture - the clock is ticking
What do we mean by culture?
In basic terms, culture is the set of enduring and underlying assumptions and norms that determine how things are done in an organisation. A coherent culture is based on shared values and beliefs, and the evidence that they are shared, is that they shape behaviour across an organisation. The challenge for leadership is knowing how to instil or modify those assumptions and norms in the direction that is needed.
In 2016, the Chartered IIA undertook a research project and produced a report looking at culture in a variety of organisations, and the role that an internal auditor might play in providing assurance that a culture of learning from mistakes, rewarding the right behaviour and systems and processes that produce the desired behaviours are being embedded across their organisations. A statement of values is not sufficient on its own; boards need to know that ‘espoused’ values are the same as actual values on the ground.
Gut instinct can play a part in the audit of culture but, in the digital age, assurance providers can make much greater use of hard as well as soft indicators to reduce the subjectivity of their findings. Data from internal reporting systems can be aggregated and used to identify trends and reveal issues of which the board may be unaware. The emergence of ‘big data’ provides scope for internal auditors to develop specific skills and work with data analysts to provide insight.
Internal audit is one of the assurance providers that boards and senior management have turned to with some success; but there is still a long way to go. The positioning and reach of internal audit and the ability to 'tell it how it is’ are as important as the ability to audit cultural issues. Its role as the inside-outsider is the key to success when providing culture assurance. But audit committee members and senior executives must be open to the idea that, at present, there may be less hard evidence compared to more traditional audits and accept the likelihood of grey areas with differences of opinion. This may entail a change in culture and behaviour at the audit committee itself.
What culture is not
There is not one definition of a good culture or a right culture. What works in one company may not work in another, it isn’t one size fits all.
How might we audit culture?
There are a number of schools of thought about how internal audit might audit culture. We might add culture as a topic area for each and every report similar to the approach adopted in the early days of risk management and data protection. Or we might eat the elephant in the room in smaller chunks. For example, an audit of the culture around risk management or in relation to human rights/modern slavery. Or, we might decide to eat the whole elephant and undertake an audit of culture across the organisation.
Whichever approach works for you is the one to consider but as the clock ticks, internal auditors across all sectors and in all sizes of organisations need to start thinking about culture and the level of assurance provided to the board and audit committee that the culture in the organisation is appropriate.
Without question internal audit has the independence and objectivity to audit corporate culture.
Jose Tabuena, a US colleague who provides audit and compliance services, has produced an article, Auditing corporate culture: a new imperative, that contains some interesting thoughts around the approach we might adopt.
For example, some of the questions that internal audit might ask of the organisation, to test the appropriateness of the culture might be:
- Whether control functions are valued within the organisation, including having key policies and processes by which the organisation establishes cultural values
- Whether policy or control breaches are tolerated
- Whether the organisation proactively seeks to identify risk and compliance events
- Whether line managers are effective role models of an organisation's culture
- Whether sub-cultures that may not conform to overall corporate culture are identified and addressed
Internal audit has now entered the corporate culture game. IIA Global published a white paper encouraging its members to take a closer look at the culture that can impact its business. The paper makes the case that too many high-profile compliance failures in recent history can be tied to cultures that encouraged, allowed, or looked past illicit behaviour.
Without question internal audit has the independence and objectivity to audit corporate culture.
IIA Global pointedly observes that culture needs to be added to the internal audit workload, 'Because auditing culture helps the organization manage it'.
