Auditing Culture
As corporate misconduct continues, from the bad old days of Enron, to the more current examples of Volkswagen, Nissan and NAB foreshadowing the dark side of business in the event of compliance failures; there is an overwhelming need for corporate culture to be added to the internal audit workload. So say IIA Global, whose 2016 white paper asserted that ‘auditing culture helps the organisation manage it’, a fact no business should disregard in light of conduct regulations turning up the heat where compliance is concerned.
The culture of an organisation relates simply to the way things are done. It is informed by a set of assumptions and norms by which everybody in the business operates.
When corporate culture is left unchecked, with leadership unsure of how to implement it and thus employees lacking direction, there is more chance for policies to be breached and damage to spiral. Regardless of industry sector or size of organisation, internal auditors need to get serious about culture as a way of reinforcing confidence for the Board who want to know that the correct tone and approach are permeating the business from top down.
Internal auditors should be asking the organisation about the way control functions are valued within the organisation; whether policy or control breaches are tolerated; how effective the organisation’s strategies are in identifying vulnerabilities that could lead to risk and compliance events; whether those in all positions of management are upholding the organisation’s cultural values so as to provide a strong role model for the rest of the business; and how aware the business is of any sub-cultures not conforming to ‘the tone at the top’.
Unlike other, risk-based audit projects, an audit of culture will often rely on the auditor’s instincts as they review qualitative information from surveys and employee interviews. Really, these types of audits should be performed by the most experienced individuals on the audit team. Those who have been working in audit for a considerable period of time to have become skilled in making judgements, assessing the qualitative side of data analysis and having the confidence to conduct interviews with and actually challenge senior management.
Tact and discretion are paramount when it comes to extracting the information required for an audit of culture, as the issues that can arise are often of a sensitive nature and likely relate to those at the helm of the organisation. With such information needing to be procured and potentially concerns that the organisation’s internal audit team may have become so much a part of its culture as to be unable to view it objectively; some organisations may look to outsource the culture audit to an external firm. This may also lead to more honest transactions between employees and interviewers if the latter are separate to the organisation. Though of course, this may be subject to cost as businesses would need to employ the most senior auditors of an external firm to ensure the audit was navigated effectively.
The culture of an organisation is the foundation from which everything else can operate. It sets the tone for employee and business conduct and if it is well regulated, advocating for accountability and continually monitored, then any weak spots that could impact the organisation as a whole can be identified. Audits of culture however present more of a challenge when it comes to implementing the relevant changes with measures such as education and training for the business possibly required or the overhaul of an entire department. So it will take time for an organisation to decide how best to respond.