There are many ways to audit an organization's culture. With strong support from the top and sufficient resources, some internal audit functions adopt a comprehensive, resource-intensive method. For others — I suspect most — it is best to start with a fairly simple approach and build from there. One such approach combines auditors' observations with data metrics. And because this strategy is not dramatically different from traditional audit techniques, clients shouldn't find it jarring or outside the norm. When implemented correctly, it can be a powerful means of gauging the cultural environment.
In "Beneath the Surface" (Internal Auditor, June 2018) author Doug Anderson compared culture to a volcano that can look calm on the outside while churning internally with lava and gases that could make it erupt without warning. Hard evidence of a culture — such as policies, programs, and even employee surveys in many cases — focuses on the surface. To really understand the culture, employees have to get inside it.
Signs of a Healthy Culture
- Strong tone at the top, in words and deeds.
- Open communication, an atmosphere of mutual trust.
- Accountability is enforced and accepted, without unrealistic expectations or unfair repercussions.
- A "just culture," which distinguishes among:
- honest mistakes (no one is blamed).
- risky behavior (addressed with coaching and education).
- reckless behavior (intentionally excessively risky or unethical, which is punished).
- Effective challenge is encouraged and valued.
- Incentives that encourage healthy risk taking.
I've heard some audit practitioners say that an experienced internal auditor can almost predict an audit rating on the second or third day of an engagement just by sheer presence in the work environment. Talking with people, reading body language, sensing employee's attitudes, observing the physical environment — all contribute to a typically accurate understanding of an area's culture.
Auditors must, of course, keep an open mind and remain objective. Accordingly, many put their perceptions to the side and focus only on the objective, hard evidence. I'm reminded of an audit director who once told me about an instance where he became extremely frustrated with his team. The auditors returned to the office talking about the negative atmosphere of the client's area, citing lack of employee motivation and a hostile manager, among other problems. But when the team submitted a draft of the audit report, it indicated the area was well-run. When he asked about the discrepancy, his team said, "The area is a total disaster, but the controls are fine." Wrong answer!
Internal auditors should not ignore their perceptions — they can lead to the most significant issue of an audit. Observation can be a key tool for gauging culture, as reflected in "Signs of a Healthy Culture" (right), "Red Flags of a Toxic Culture" (below) and "Examples of Toxic Leadership Styles" (below).
Combined With Metrics
For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations, such as those listed in "Metrics That Might Support Auditors' Observations" below.
Red Flags of a Toxic Culture
- Excessive focus on short-term results.
- Unrealistic performance targets.
- "My way or the highway" management, inhibiting input and healthy debate.
- Lack of open communication (caused by fear, lack of trust, or information hoarding).
- Competition to get ahead rather than cooperation.
- Lack of work-life balance.
- Chronic grumbling by employees.
- Cliquishness, gossip, rumors.
- Chronic stress.
- Lack of employee development.
- Lack of accountability (in general or for top performers).
- Lack of motivation in a work group (could be caused by any of the above).
Metrics like these can be a powerful tool when combined with observations. For example, if auditors spot red flags of a toxic workplace, employee survey results might corroborate those observations. Turnover and sick leave statistics might reflect the culture's negative impact on the business. Discussing these links with audit clients won't always succeed, but it is far more robust than the auditors' observations alone.
A growing number of audit functions are using metrics that support observations in a variety of other ways, including:
To plan and scope an audit project. An audit function might gather a standard set of metrics for risk assessment on every audit. When some of these metrics appear to be negative, the auditors can seek to determine why. For example, if turnover and sick leave are unusually high and the company has received an excessive number of customer complaints or hotline reports, or if projects regularly fail, the root cause may well be a cultural issue. If auditors suspect this is the case, they can conduct confidential interviews with employees and gather evidence to support and explain the link between the cause and effect.
To populate a dashboard that executives and the audit committee review regularly for indications of entitywide issues or trends. This in fact seems to be a growing trend. In "The Board Needs Culture Dashboards" (FEI Daily, March 2018), Dennis Whalen, leader of KPMG's Board Leadership Center, said, "I'd be shocked if, by the end of 2018, most companies didn't have some kind of culture dashboard that somebody monitors and presents for the board on a regular basis so they can see outside the C-suite and the corporate office."
If an internal audit function developed a set of metrics meaningful to the organization and got buy-in from executives and the audit committee, it could use them for both of these purposes, in addition to leveraging them for support of audit observations.
Examples of Toxic Leadership Styles
Disorganized, lacking focus (followers don't feel a real sense of direction).
- Narcissistic (egotistic, power hungry, care more about themselves than the organization).
- Autocratic ("my way or the highway," intolerant of ideas contrary to their own).
- Manipulative (charming to superiors, "kiss up, kick down").
- Secretive (hoards information to appear superior or use it to get ahead unfairly).
- Deflecting (blames others for problems or talks around issues to avoid being found out).
- Hypocritical ("Do what I say, not what I do").
A particularly interesting use of metrics occurred in 2002 when the Office of the City Auditor in Austin, Texas, performed a citywide ethics audit. The audit team gathered indicators of a positive or negative ethical climate in each of the city's departments from a citywide employee survey and a series of management interviews. Using statistical software, the auditors correlated these indicators with metrics like turnover and sick leave usage, complaints and successful claims by citizens, injuries to employees, and employee intentions to continue working for the city. They found that departments with strong ethical climates had significantly less turnover and sick leave, fewer complaints and claims, etc. The city responded by centralizing and strengthening oversight of ethics, drawing on the best practices of high-performing departments documented in the audit report.
A Powerful Combination
Internal auditors' perceptions of a work environment are usually sound but rarely stand by themselves. By combining their observations with data that management trusts, and by discussing the linkage tactfully with their audit clients, auditors can make a real difference in the organization. For auditors struggling with how to begin a culture audit, this could be a useful starting point.
Metrics That Might Support Auditors' Observations
- Employee survey results.
- Structured interview results.
- Customer survey results.
- Customer complaints.
- Hotline statistics, including evidence of whistleblower protection.
- Statistics for hotline open to suppliers.
- Frequency of legal problems.
- Frequency of audit issues with the same or similar culture-related root cause.
- Frequency of repeat audit findings.
- Timeliness and effectiveness of corrective actions.
- Turnover statistics.
- Sick time statistics.
- Exit interview results.
- IT surveillance results.
- Performance review timeliness.
- Frequency of negative media coverage, including social media.
- Warranty claims.
- Diversity statistics.
- Level of community engagement.
- Environmental impact data, with effective monitoring and continuous improvement.
- Frequency of performance targets being missed (suggesting unrealistic targets that pressure managers to meet them "whatever it takes").
- Frequency of large projects failing.