Enron, Worldcom, FIFA, General Motors, Volkswagen, and Wells Fargo are just a few examples of scandals caused by organizational cultures that encouraged inappropriate behavior. The reputation risk cries out for audit coverage, yet only 42 percent of internal audit functions are auditing their organization's culture, according to The IIA's 2016 North American Pulse of Internal Audit study.
Auditing an organization's culture can be challenging because of its complexity, its subjectivity, and the potential resistance of key players. However, approaches and techniques pioneered by some internal audit functions can help auditors successfully enhance coverage of culture.
Complexity of Culture
One definition of culture is "the actual values that influence everyday behavior within the organization." These are not the organization's stated values or desired values, but the values people actually live by in the workplace. Culture is shaped primarily by tone at the top, but it is also influenced by factors such as business strategy, organizational structure, incentives, employees' personal values, and human resource practices. Each factor interacts with the others in a complex web. Adding to this complexity are:
Subcultures Managers create subcultures within their spheres of influence, which might not be consistent with the organization's culture. This challenge is an opportunity for internal audit because it can be identified during audits and provide valuable information for higher-level management.
Different Cultures There is no right culture and no ideal risk/reward balance, even for different parts of the organization. For example, finance may have a more conservative culture, and sales may have a more aggressive culture, which is appropriate within limits. To meet this challenge, internal auditors must have good judgment, business knowledge, and transparent communication to put such differences into perspective and determine whether they are appropriate.
No Defined Criteria Ideally, management and the board should define expectations for each part of the business, as well as the observable behaviors that illustrate consistency with, or variance from, that expectation. This is rarely done. The lack of clear, specific criteria to audit against increases the challenge of auditing culture. To address this challenge, some internal audit departments have developed a culture model — usually starting from a model developed by an outside firm. For example, Prudential uses a model it co-developed with EY (see "Auditing Prudential's Control Environment: Areas of Focus" at right). Once the board and executives buy into the model, internal audit can develop audit programs and tools to address specific expectations and behaviors within that framework.
The Extended Organization Although they are difficult to identify, cultural inconsistencies in global operations, outsourced functions, vendors, and joint venture partners can be harmful to the organization. Internal auditors must adapt their approach, audit tools, and judgment to account for differences in country cultures. Some organizations require their vendors and third-party providers to submit a report annually showing how they comply with the organization's values. Then they meet to discuss the report, which can be more meaningful than the report, itself.
Culture Is Perception
Before addressing the techniques internal auditors are using to audit culture, a basic principle and its related challenges are worth discussing. An organization's culture does not exist in formal documents such as codes of ethics or value statements, which only reflect what the organization says it wants the culture to be. Nor does it exist in what the board and executives tell auditors about the culture. They can describe what they think the culture is, but their perception of the culture is filtered by employees' unwillingness to tell them there are problems in the culture.
The culture exists in the perceptions of employees. If employees believe the culture is "win at all costs, do whatever it takes," that's the way they behave. If employees believe the culture is "put the customer first," that's the way they behave. That's why a common definition of culture is simply "how we do things around here."
Employees are the best source of information about the culture, but getting that information presents several challenges for auditors:
- Employees might not be fully candid, especially if they fear retribution for saying something negative to the auditors.
- They may have cultural blind spots that make them unable to see a cultural weakness from within the culture.
- Some employees may be chronic complainers.
- Surveys, interviews, and workshops by internal auditors might be influenced by the same blind spots.
- The response to the results will be influenced by the culture.
Internal auditors must be aware of these challenges and use knowledge of their organization, good judgment, and interpersonal skills to deal with them as they develop and apply their assessment techniques. There are several keys to auditing culture successfully.
|The Subjectivity of Culture
Culture is inherently subjective. So how can internal auditors obtain objective evidence about something that is, itself, subjective? The answer is the evidence obtained in auditing culture doesn’t have to be as objective as the evidence obtained in auditing hard controls. The applicable International
Standards for the Professional Practice of Internal Auditing (1100, 1120, 2310, 2320, and 2420) do not require objective evidence. To summarize what the
Standards say, internal auditors must identify the best attainable information about the culture through the use of appropriate engagement techniques. This information must be factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Internal auditors must base their conclusions and engagement results on appropriate analyses and evaluations. Their reporting of results must be fair, impartial, and the result of a balanced assessment of all relevant facts and circumstances.
To comply with the
Standards, internal auditors typically use a combination of objective and subjective evidence, evaluate it objectively, and “connect the dots” about the culture in a way that is persuasive. They are careful not to conclude more firmly than the evidence supports, and they present results as giving perspective into the culture rather than stating audit opinions or ratings.
Executives and board members are at least intuitively aware of the challenges in auditing culture and may be skeptical of internal audit's ability to deal with them. For the audit to succeed, executives and board members must be willing to accept less hard evidence than they are used to receiving and accept that there are gray areas (see "The Subjectivity of Culture" at right). Chief audit executives (CAEs) must persuade them that their internal audit team has the skills, judgment, tools, and techniques to provide valuable insights into the culture. The team, of course, must in fact have these attributes. If it does and the board agrees, it is helpful to establish auditing culture as a mandate in the internal audit charter. If the team does not have the skills, it is best to take baby steps into evaluating soft controls while building the team toward a more robust focus on culture.
Audit Skills The Chartered Institute of Internal Auditors' 2016 report, Organisational Culture — Evolving Approaches to Embedding and Assurance, details the skills and competencies internal auditors in the U.K. and Ireland say the profession needs to audit culture:
- Professional judgment (84 percent).
- Use of experienced or senior auditors to lead the work
- (71 percent).
- Enhanced communication skills to deliver unpalatable findings (60 percent).
- Influence and negotiation skills (48 percent).
- Training from specialists on qualitative methods and survey design (33 percent).
Just 21 percent of respondents say auditors already have the skills necessary to assess culture and soft controls, the survey notes. Organizations could supplement the skills of the audit team by partnering with other assurance providers, such as those in the second line of defense. Cosourcing with outside providers can be another good option.
Audit's Relationship to the Business Support from the top is crucial but not sufficient. Internal audit must have earned the trust and credibility of managers throughout the organization to deal with sensitive issues appropriately. If this is not the case, auditors should rely on tools such as anonymous employee surveys initially and focus on building relationships. Extra care should be taken in reporting audit results in ways that are most likely to get corrective action taken without unintended negative repercussions. The CAE and audit managers will have to work more closely with the audit team to be sure they are using mature judgment and communicating appropriately with their clients.
Scope and Techniques
The most comprehensive culture audits combine hard and soft control testing at a variety of levels. For example:
- Audits of entity-level governance and risk management structures and activities.
- Audits of processes with significant cultural influence such as ethics training, incentives, and human resource practices.
- Cross-functional thematic audits such as culture of compliance and management initiatives.
- Cultural auditing embedded in every audit project.
Audit results should include hard evidence where it applies, as well as the results of interviews and other self-assessment techniques. All audit evidence should be correlated and analyzed until reasonable and persuasive statements about culture emerge. Conclusions should be discussed and modified, if appropriate, at all levels before they are finalized. Internal audit techniques that have proven effective for auditing culture are root cause analysis, structured interviews, employee surveys, and self-assessment workshops.
Root cause analysis is basic-to-good internal auditing. Pushed deeply enough, the root cause of an audit issue is often cultural. It might be a disconnect between the desired overall culture and the subculture created by a manager. Or it might be pervasive. "Connecting the dots" from numerous audits can create persuasive evidence of an issue in the overall culture.
Structured interviews enable internal auditors to ask a sample of employees the same questions. For example, to determine whether a "culture of compliance" exists in his company, a CAE personally interviews 65 of the 1,000 employees. He starts with simple questions to set each employee at ease and later gets into sensitive questions like, "Have you ever been asked to do anything that you believe violates the code of business conduct or company policies?"
This technique is more objective than unstructured interviews because one set of questions and one skilled interviewer bring consistency to the process. It does, however, require a high level of interviewing skills to detect when someone's positive answer isn't what the person is really thinking and ask the right follow-up questions. It also relies on the interviewer's understanding of what was said and the willingness of upper management to believe its accuracy.
Employee surveys have the advantages of gathering evidence from a large sample of employees and producing objective data. The most common survey technique for internal auditors is asking employees to respond to a series of statements by indicating whether they strongly agree, agree, disagree, or strongly disagree with each statement, with an option like "not applicable" or "don't know" off to the side and not factored into the results. The audit report can then state, for example, that "46 percent of responding employees disagreed or strongly disagreed with the statement. …" This is an objective fact. The auditor then must look for corroborating evidence and investigate the root cause.
A well-constructed survey — provided that employees believe it is anonymous and action will be taken to address their concerns — can generate data that accurately reflects employees' perceptions of the culture. It is possible, of course, that the results reflect a misperception. This is why the auditor must look for corroborating evidence. If it turns out to be a misperception, that is valuable information that should be reported to the local manager, who can then correct it.
Employee surveys can be used at two levels: on audit projects or organizationwide. Some internal audit departments have a standard survey they use on every audit, with a section in the audit report including corrective action plans. Others develop a survey for just one audit when the situation and level of risk justify the time involved. Some internal audit departments have developed and administer an organizationwide survey, usually annually.
Many large organizations have an existing, organizationwide employee survey. Most of these surveys include little or nothing on topics such as ethics or risk that are essential to the culture. Some internal auditors have reviewed the content, developed survey statements that address these issues, and persuaded management to add them to the survey. They can then use the survey results as a key risk factor in developing their periodic audit plan. When the survey suggests cultural issues in an auditable entity, the results also can be used to help plan and scope that audit. And when process deficiencies are found, the root cause might be identified in the survey. Linking the objectively evidenced deficiency to the survey results can be very persuasive to management that a cultural issue exists.
Facilitated workshops were the first tools used by internal auditors for evaluating soft controls. In this technique, a group of employees is guided through a disciplined analysis, often using the same kind of statements that are used in surveys, together with confidential voting technology to gather and tabulate the results. Discussing the issues that emerge with the employees who experience them can be powerful. Today, workshops are used more by risk management departments for risk assessment, while internal auditors more frequently use surveys.
In addition to these techniques, internal audit can leverage metrics that reflect the culture to develop the periodic audit plan, plan and scope audit projects, and support audit results. Hard data can be persuasive. A monthly dashboard could give meaningful perspective on the culture to executives and the board. The dashboard could present metrics such as:
- Customer survey results.
- Number and trend of customer complaints.
- Turnover statistics.
- Sick time statistics.
- Warranty claims.
- Frequency of performance targets being missed.
- Frequency of large projects failing.
- Hotline statistics.
- Environmental impact data.
The best metrics auditors can use depends on the organization. Several metrics would be specific to the organization or its industry.
Culture does not lend itself to a pass/fail type of audit opinion. IIA guidance addressing sensitive topics often recommends considering a maturity model to report results. With a maturity model, executives and the board can decide how mature they want the organization to be with each attribute listed. Internal audit results can then be presented in terms of the model and help measure how mature each attribute actually is. This reporting vehicle assumes that the organization is working to get better (more mature) with the attributes important to it and helps measure progress along the way.
Culture might be the most challenging audit topic the profession has ever faced. Internal auditors must be realistic about the constraints they have in their own organizations. If the constraints are substantial, auditors should do what they can at present and look for opportunities to expand over time. It may be impossible to ever give a firm opinion on the quality of an organization's culture. But good auditors using good techniques, judgment, and communication skills can present solid evidence about the culture to executives and the board. Over time, the picture this evidence paints will become clearer and more persuasive. This may be the most valuable information internal audit will ever provide.