Auditing organizational culture is a challenging, multifaceted process. It can touch virtually all parts of the business, including the very top, and span a wide range of risks and topics.
Due to its complexity, many internal auditors interested in auditing culture may be unsure of how to approach it. This installment of my Auditing Culture series helps point practitioners in the right direction, offering some tips that may seem obvious but should not be overlooked.
Consult With Your Stakeholders
Auditors should start by identifying who their stakeholders are and determining what those individuals or groups expect from a culture audit. Examples of stakeholders include the audit committee, regulators, and executives — considerations for each of these groups can differ substantially.
Audit Committee or Similar Oversight Group Has the audit committee asked for a culture audit? If so, this will help overcome possible resistance at lower levels. Does the committee have any specific expectations regarding which aspects of culture internal audit should examine or how the audit should be conducted? Do the committee members have any concerns about the existing culture? Have any members been involved in culture auditing elsewhere — if so, would they want to share their experiences or insights? Engaging this group in meaningful discussion will be important.
If the audit committee has not asked about auditing culture, internal auditors should initiate the discussion. Practitioners can suggest possible benefits to the organization (e.g., see "The Right Path"), as well as some ways to approach a culture audit, drawing from research on what others have done.
Regulators If the organization's regulators request or require audits of organizational culture, internal audit should hold the same kind of discussions with regulatory personnel as they do with the audit committee. In particular, what aspects of culture are they most interested in? What are their requirements or expectations for internal audit as it relates to culture?
Executives Support from the head of the organization is, of course, essential. Other executives may or may not like the idea, but they might be surprisingly supportive. For example, my first chief audit executive (CAE) reported to a chief financial officer who thought so little of internal audit that he moved the reporting relationship from himself down to the corporate controller. Nevertheless, he once said to the CAE, "I read your audit reports. They're fine. But what I really want from you is this. Your auditors are in our banks observing management's behavior. I want to know what they're seeing and thinking. I know they won't have the same kind of evidence they do for an audit finding, but I want to know what they think of management."
A 2011 IIA research study, Insight: Delivering Value to Stakeholders, provides a more generalized example. It found that 64% of executives surveyed expect that "the CAE provides comments to the audit committee of the board of directors or certain executives regarding the performance of senior leaders in the business, based upon internal audit activities performed within the organization." Only 30% said they experience this from their CAE, representing a 33% expectation gap.
Know Your Organization
A growing array of tools, techniques, and approaches exist for evaluating culture. To succeed, internal auditors must find an approach that will work within the organization's unique cultural environment.
One way to help determine the best approach is to consider where the existing culture fits on a series of scales, like the ones shown below (see "Where Does Your Organization Fall on These Scales?"). This estimation could be performed by the CAE, the audit management team, the entire staff (during a staff meeting), or selected members of management.
Contrasting examples of two hypothetical organizations help illustrate how scales like these can be used:
To select the most meaningful scales for their organization, internal auditors can look to existing sources of cultural insight such as employee surveys and exit interview results. They can also talk with human resources, as well as risk management and others in the second line of defense. The insights that come from these and similar sources will also be valuable in other ways, such as scoping audit projects and supporting cultural audit issues.
Where different parts of the organization fall along these scales can often vary, and those variations might suggest different approaches for certain areas. They also might suggest problematic cultural inconsistencies that should be examined, as well as identify "low hanging fruit" or possible champions in management for initial efforts.
Select the Initial Approach
With strong support from key stakeholders and a culture that is open to it, a robust approach may be possible right away. For example, a pharmaceutical company performs 5- to 6-week "values assurance" reviews in which internal audit works in a multidisciplinary team that includes psychologists, operational staff, and individuals with Lean Six Sigma experience. Or consider a financial services firm where the audit department uses a cultural model with eight cultural drivers broken into 35 topics. For each of these topics, the department has developed a comprehensive audit program to use during audit projects.
In my experience, and from what I have read, organizations with robust approaches like these usually:
Most organizations, of course, do not belong to one of these groups.
Unless the audit committee and executive team are willing to devote significant resources to safeguarding against a culture-caused scandal, it is best for internal auditors to start slow. They can then build toward more robust approaches if and when the results indicate that doing so will be worth the cost.