Toshiba, Hertz, FIFA, WorldCom, Enron, and Uber (among others) have all experienced significant failures driven by broken cultures. The circumstances of each of these situations have been thoroughly rehashed in the media, yet the problem of toxic cultures remains and a remedy is unclear. It makes me wonder: Could these type of disasters be prevented if management and the board could more readily see the impact of culture? If so, how do internal auditors effectively take on the behemoth of auditing culture and demonstrate this impact?
There are many different approaches to auditing culture and you need to figure out what will work best within your particular organization. That said, trying to take on culture holistically is an insurmountable task. Many chief audit executives (CAEs) aren't even trying: In a recent
Pulse of Internal Audit survey, 58 percent of CAEs reported a culture audit is not on the audit plan.
Auditing organizational culture is a tough road to go down. Things can get personal quickly. Add in the fact that 55 percent of CAEs ranked "behavior modeled by executive management" as the No. 1 factor influencing culture — another 20 percent ranked this No. 2 — and it is easy to see why so many internal audit leaders hesitate to go down this path.
Instead of the holistic approach, an effective way to address culture as the likely root cause underlying many risks in your organization is to break culture down into bite-size chunks. This approach allows you to create focal points and drive the conversation around specific issues rather than potentially getting caught up in personal attacks. A few ideas for ways to break culture down include:
Risk culture. Common in the financial services sector, risk culture is the organization's attitude toward risk-taking and control activities. Consider, for instance, a bank's investment risk appetite. What processes are in place to ensure investment risk remains within defined tolerance levels? How is this monitored and controlled? The same scrutiny applies in other sectors. For example, in a retail environment there may be a risk appetite around individual store performance. How are performance tolerances set and what controls are in place to monitor and ensure corrective action is taken?
Cyber culture. What is the cyber culture of your organization? Are employees concerned with security? Verizon's recent Data Breach Investigations Report found that a large number of cyberattacks are successful due to human failures. The report showed that 81 percent of hacking-related breaches leveraged either stolen or weak passwords, and 66 percent of malware was installed via malicious email attachments. Look at what type of password controls are in place in your organization. Are passwords taped to employees' keyboards? Are there training and awareness programs? If you ask an employee about
phishing, vishing, smishing, or pharming, would they know what you are talking about? If you want to get a little more technical, look at what policies and procedures are in place to implement critical patches and how long it takes to get patches implemented. Does management "give in" and override controls when pushed (particularly when profits may be at risk)?
Fraud culture. There are many different areas of fraud that can be addressed. What is your organization's culture on employee theft? Is it tolerated? Do employees feel entitled or undervalued? Do you hear about employees rationalizing why taking company assets could be justifiable? How is your organization's intellectual property protected from employee theft and do employees understand that the intellectual property belongs to the organization and not them?
Safety culture. Does your organization have policies and procedures around employee safety? Are employees encouraged to report safety issues or do they risk ridicule by doing so? Does anyone in the organization know how many workplace injuries there have been in the past year, how they are handled, and how big of an impact worker's compensation is to your bottom line? Is safety ever discussed in staff meetings?
This is not an exhaustive list, of course. There may be unique examples in your organization of how to break culture into manageable chunks focused on specific issues. The point is that an organization's culture cannot be easily measured. Pay attention to things you might already be doing that can help to demonstrate the impact of culture. While many internal audit leaders strive for strong relationships with management and the board to enable direct conversations on cultural issues, these conversations can easily cause friction if not handled correctly. By breaking culture into meaningful components and creating focal points, auditors can keep their audiences focused on specific positive actions.
That's my point of view, I'd be happy to hear yours. Verizon's 2017 Data Breach Investigations Report can be found
here. Current and archived Pulse of Internal Audit Reports can be found