The idea of auditing culture can be intimidating to internal auditors. How can you find objective evidence about something that is inherently subjective? Do you need strange new techniques and psychologists on the audit staff?
Fortunately, internal auditors can accomplish a great deal without the need for a radically different approach. A combination of well-known audit techniques, applied more rigorously by practitioners looking for cultural issues, can go a long way. Four techniques, in particular, can yield valuable information:
Incorporating these approaches into routine internal audit work gives practitioners insight into organizational culture and can surface issues critical to the organization's continued success.
Establishing participative relationships is perhaps the most important technique, as audit clients are far more likely to discuss their culture if they feel involved in the audit process. This involvement can come during three stages of an audit project.
Planning Auditors commonly get input from the manager responsible for the area they're reviewing. Some auditors go further and actually plan the audit with that manager. Together, they develop the specific audit objectives, scope, and overall approach.
Does planning the audit with the client compromise independence? It would if the auditor is not thinking critically; but if the client tries to divert internal audit from looking into a risk area, an experienced auditor is likely to recognize it.
For example, as part of the planning process the auditor presumably would explain why he or she thinks a risk area should be examined; the client might then explain why it would be a waste of time. If the client's explanation makes sense, the auditor thanks the client and explains that internal audit needs to confirm what he or she says. If confirmation is established, the auditor saves time. If not, or if what the client says does not make sense, the auditor sees the attempted diversion as a red flag and looks into the risk area with that in mind.
Audit clients are likely to be concerned about how much of their time the joint planning process will take. Internal audit should promise to minimize the impact by performing all the detailed analyses and keeping the planning at a high level.
Risk Assessment Once the audit objective and scope are agreed upon, the auditor performs a more detailed risk assessment of the key risk areas. Involving the manager in the assessment — or his or her direct reports if the manager can't take the time — has many benefits. First, business owners know their risks better than an auditor coming in from the outside; most of them are just not used to thinking about risk in a systematic way. Guiding the client through a risk assessment gives the auditor a better understanding of the real risks and helps the client become a better risk manager. For auditing culture, it allows the auditor to guide the client's thinking toward cultural objectives and risks to address during the audit.
Reporting The best way to "report" audit issues — and this is especially true for sensitive cultural issues — is not by telling the client they exist. The most effective way is showing the evidence, enabling clients to realize for themselves that there's a problem. Ideally, the discussion begins before the auditor has all the evidence, when he or she thinks there's an issue but is not quite sure.
For example, suppose an area's staff members complain of unrealistic performance targets. The auditor, being careful to preserve confidentiality, could ask their manager if he or she is aware of the staff's concerns. If the auditor can pique the manager's interest in whether it's true or not, they can design a test to determine that together. If the results indicate it's false, the client will have evidence to show the staff and dispel a morale issue. If the results indicate it's true, the manager is much more likely to be receptive, having asked for the information and helped design the test.
Observations and Data
In any area they review, auditors observe the behavior and attitudes of client management and staff. Their perceptions of the culture are generally accurate, but they are subjective. For most internal auditors, reporting a cultural issue based only on observations results in a fight they can never win. The good news is that there is usually objective data to support those observations.
A negative culture, for example, usually results in high rates of turnover and sick time. These statistics are readily available. Employee survey and exit interview results can also support the auditors' observations and sometimes help identify the cause. A review of customer complaints, frequency of missed performance targets, or project failures can show the impact of the cultural issue. For more examples of metrics that can support auditors' observations, see "Auditing Culture: Observation and Data."
Root Cause Analysis
When conducting training programs during the early to mid-1990s, I would often say that soft (i.e., cultural) controls are more important to controlling an organization than hard controls. I would present tools like control self-assessment workshops, employee surveys, and structured interviews as ways to identify soft control weaknesses. Sometimes a trainee would ask, "If you just did transaction testing and really got at the cause of hard control deficiencies, wouldn't you get to the same place?" The answer is yes, but that rarely happens. Auditors usually stop short, ending with a more objective, easily defensible intermediate cause.
Today, in my course for new internal auditors I like to illustrate root cause analysis by starting with a hypothetical example where auditors discover inaccuracies on a computer report. I then ask the class to identify potential reasons for the erroneous report. A typical, though abbreviated, exchange between myself and the course participants looks something like this:
"Why is this information not accurate?"
"Why are there input errors?"
"Lack of training"
"Why haven't the input clerks been properly trained?"
"No budget for training"
At this point I explain the need to look at the effect of the errors. If the organization shifts funds to training, those funds have to come from somewhere else. The loss of funds elsewhere might have a worse effect than these errors:
"So let's say the effect of these errors is clearly great enough that training is needed, but local management is allocating its budget as best it can."
"Then they need a budget increase."
"Why isn't upper management giving them enough money to train their staff?"
"Upper management just looks at numbers and has no idea of the impact of their decisions on lower level employees."
Now we have the real root cause. And as often happens when analysis leads to the executive level, the cause is a cultural issue. Correcting it will not just correct the condition, but it will prevent future instances of the same or similar conditions. In this example, the root cause has a pervasive impact on the entire organization — Wells Fargo provided a clear example of what that can lead to.
Of course, upper management is not going to change its approach to managing the organization because of the errors on this computer report — it is one symptom of a deeper problem. The audit report will have to stop at an intermediate cause. The auditors, though, should keep track of this issue and look for similar issues in other audits. If they can connect the dots from enough audits, they may have sufficient evidence to at least discuss the underlying issue with upper management. And this points back to the importance of establishing a participative relationship with management. Finding a root cause on our own is rarely as effective as working with the client to identify it. This is especially true if the root cause is cultural.
A Powerful Combination
Taken together, a participative relationship with audit clients, auditors' observations supported by objective data, and rigorous root cause analysis is a powerful combination. None of these techniques is novel — they are things internal auditors have always done to some extent. Performing them more rigorously, with the goal of identifying cultural issues, can enable internal auditors to provide a deeper, more meaningful level of assurance.
Despite the value of these techniques, auditors should keep in mind that, even when performed together, they do not provide sufficient means to support overall conclusions about the organization's culture. Accomplishing that requires a model or framework that identifies the elements of the culture to be evaluated. And some of these elements might require other techniques.
Nonetheless, this multipronged combination should be a central part of the auditors' approach. Even without overall conclusions, internal auditors using these techniques can identify issues in their organization's culture that need to be addressed. And ultimately, that is the greatest value organizations derive from an internal audit assessment of culture.
Read other articles in this series:
Auditing Culture: History and Principles
Auditing Culture: Bumps in the Road
Auditing Culture: Where to Begin
Auditing Culture: Observation and Data
Auditing Culture: Audit Project Surveys
Auditing Culture: Employee Surveys