Auditing culture - why good companies go bad

Technical blog by Liz Sandwith, chief professional practice advisor |  9 February 2017

One the most common business phenomena is also one of the most perplexing; when successful companies face big changes in their environment, they often fail to respond effectively. Unable to defend themselves against competitors armed with new products, technologies, or strategies, they watch their sales and profits erode, their best people leave, and their stock valuations tumble. Some ultimately manage to recover, usually after painful rounds of downsizing and restructuring, but many don’t.

So why do good companies go bad? It’s often assumed that the problem is paralysis. Confronted with a disruption in business conditions, companies freeze; they’re caught like the proverbial rabbit in the headlights. But that explanation doesn’t fit the facts. Is it more to do with the culture of the organisation?

The Confederation of British Industry (CBI) describes the culture of an organisation as 'the mix of shared values, attitudes and patterns of behaviour that give the organisation its particular character'.  This description recognises that organisations possess a mix of personalities who may share a broadly similar set of values, attitudes and behaviours.

Deal and Kennedy (management theorists) famously defined organisational culture in their 1982 book Corporate Culture: rites and rituals of corporate life as 'the way we do things around here'.

Management theorists have observed, organisational culture may be an abstraction, but it has powerful effects on the way organizations think and behave. Indeed, having ‘the right kind of culture’, a culture that is appropriate to the kind of enterprise in which an organization is engaged, is widely acknowledged to be among the most important determinants of how effective or successful the organisation will be.

Any organisation seeking to improve business performance and enhance the ability to manage risks and opportunities should be concerned with culture, including its risk culture. Senior leaders should be sponsoring activities and initiatives that seek to improve both hard and soft controls to the benefit of all key stakeholders.

Organisational culture has become a subject of increasing interest to internal auditors in their desire to understand the underlying causes of corporate governance failures. While it is a complex subject many people, particularly policy makers and regulators, feel that recognition and proactive management of cultural issues can help to prevent such failures in the future.

Internal audit can play an important role in prompting and widening organisational discussions about the cultural aspects that may be impacting performance and risk. As a result internal audit should be engaging with senior leaders with regard to questions of awareness, ownership and oversight of corporate culture and how and when independent and objective assurance can be provided.

Why audit culture?

As organisations grow and become more complex they look at competitors in their sector to seek to understand how and why they are more/less successful. Senior management then turn inwards and look within the organisation as to what works and what doesn’t and frequently turn to internal audit for assurance in key areas.  Culture may be described as the life blood of an organisation, therefore isn’t it reasonable to assume that they, senior stakeholders, would want an assurance that the culture within their organisation is ‘fit for purpose’. 

According to the Institute of Business Ethics (IBE), the corporate leadership team needs to know whether the culture they have got is actually the one they want. Internal audit can help through its work on assurance. This poses some big challenges for a profession that works by measuring things and where many practitioners believe that culture cannot be measured.

So how might we are internal audit respond to such demands from the corporate leadership team/senior stakeholders. From a practical perspective there are potentially four audit options:

  1. ‘Meta-audit’ of consolidated findings - using cultural insights from individual audits over a given period of time.
  2. Comprehensive general assurance on culture - compliance/effectiveness assurance against expectations, preferably defined by the Board.
  3. Standard assurance audit of a specific aspect - e.g. assurance that the defined governance structure is operating as intended, meetings held, right people attending, decisions made in meetings not corridors, risks considered, options debated, group think avoided, e.g. assurance that there is compliance with a diversity policy.
  4. Consultancy review providing insight into a specific aspect - e.g. advising on project/change ways of working, e.g. collaborating with Human Resources on identifying risks and next steps after an employee ‘health check’ survey.

But is this enough?

Baroness Hogg, Chair of the Audit and Risk Committee, John Lewis on industry culture stated: “You’re asking internal audit both to detect where they think culture is weak, and possibly to detect where it’s too strong.  So, internal audit needs to pick up behaviours that maybe have slipped in from the industry generally.  When you talk about the interplay with culture, you immediately ask whether there is a good enough culture, but you may be looking at bits that are too strong as well as too weak. What are the normal patterns of behaviour in an industry?  You’re looking out for industrial culture that has to be kept in check. Industry culture can be very strong.”

‘Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.’

Dr Ian Peters CEO, Chartered IIA

Whatever the definition, whatever the approach we as internal auditors decide to take there is no getting away from the fact that an audit of culture is becoming the expected norm in any and every internal audit programme of work.  Failure to undertake such an audit may result in your audit committee chair asking some difficult questions especially with the recent corporate issues that can be directly linked back to cultural issues e.g. Wells Fargo Bank, Barclays Libor, BP, and RBS.

The Chartered IIA undertook a research project in 2016 on culture and produced a report and a board briefing. We have also produced guidance on how to undertake an audit of culture.

Back to all blog posts

Content reviewed: 2 October 2019