Adding culture to your audit plan
Auditing culture has been a hot topic for many years. How does it feature on your audit plan?
Internal audit can provide assurance across the risks associated with organisational culture. It is fundamental to governance, risk management and internal control. It's about behaviours that matter.
Perhaps you are already doing it, feel you should be doing more or have yet to explore it. Whatever your position has been, going forward there is only one acceptable option.
Already doing it? Read on to check out some approaches that might be useful.
If not, read on to develop your understanding and build confidence to start. Audit leaders that do not embrace this risk failing their organisation and the profession.
Skip ahead for some useful cultural cues to spot.
What is culture?
Culture is the glue that binds an organisation together; getting the formula right for the ingredients is key otherwise things fall apart. Organisations are in crisis mode managing a pandemic, transitioning to a low-carbon economy, recession and Brexit; the glue needs to be strong.
This thought leadership will focus on why you should include cultural assurance in your audit plan, offer new insights for those already on the journey and give you the confidence to talk about the topic with your governing body – board, audit committee, trustees, etc.
The elephant in the room
Let us not avoid the issue. There are individuals, executives, management and internal auditors that are sceptical whether culture is an area for internal audit assurance.
What is your current position?
The Chartered IIA firmly believes that it is an auditable area.
We challenge you to be no less than 7 within the next twelve months.
Read our research paper for practical insights from chief audit executives (CAEs). Although a few years old, it's a timeless read.
An open dialogue between CAE and governing body (board, audit committee, trustees…) is an essential first step to overcoming preconceptions, which may include:
- Shared understanding of the benefits and importance of independent assurance
- Clarity around other assurance providers
- Align expectations from internal audit
- Capacity and capability of the internal audit resource
- Renew and refresh the internal audit charter.
The objectivity internal audit is respected for is equally relevant when it comes to culture; stakeholders and internal auditors need to recognise that soft controls are just as auditable as hard controls.
Before continuing take a moment to reflect on this.
To what extent has your function provided assurance over cultural risks in the last year?
Importance of independent assurance
Governing bodies, either through regulatory requirement or principles of good governance, readily accept that independent assurance adds value to their role. Internal audit is uniquely positioned to provide assurance over cultural risk compared to other specialist or external assurance providers.
Internal audit has a role in highlighting strategic, operational, financial, compliance and cultural issues that impede the organisation from achieving its purpose, strategic goals, mission statement and values.
This is the decade where internal audit can become strategically focused now that senior executives see the value of having a trusted advisor working alongside them.
Trust is an essential to providing independent assurance alongside the objectivity that is unique to internal audit. Audit leaders should make an honest appraisal of their relationships before beginning any work of a cultural nature; trust is both an enabler and an outcome of assurance.
Partnering with governance leaders is an important aspect of providing cultural assurance. Audit findings and opinions will invariably need to be discussed openly otherwise they may lead to antagonism and anxiety.
Culture is part of the strategic interplay of an organisation; it influences governance, risk management and internal control.
Internal audit cannot and should not focus on these three pillars without addressing the fundamental influence of culture.
A complex interplay of control failure and culture led to the 2010 Deepwater Horizon oil disaster in the Gulf of Mexico; media headlines in 2018 revealed the use of sex workers in the wake of the Haiti earthquake, local activities that conflicted with the culture espoused by the charity; a government report described the culture as ‘rotten’ following the collapse of construction giant Carillion in 2018 and today Post Office executives and scandal victims await the outcome of a criminal inquiry.
- How might you feel the day after a major risk event at your organisation?
- Are you doing your best to protect your organisation?
- Is it time to move out of your comfort zone?
Read more about culture theory and the three pillars in our related piece, 'Organisational Culture from an internal audit perspective'.
Culture and root cause analysis
Culture is part of the ‘tone from the top’, setting the cultural agenda for the organisation is the accountability of the Board; decision-making that determines a desired culture, like risk appetite or strategy is an auditable process.
Culture is a complex construct. It is made up of multiple components; stories, rituals and routines, symbols, organisational structures, control systems and power structures. It is the output of the behaviours of a group of individuals; as in the case of the Oxfam scandal, cultures form when people are enabled to apply their own ethics and values rather than those that are desired.
Root cause analysis, probing to the absolute depths of an issue reveals it is one or more of these components or a subset of them which is the root cause of cultural failings not culture itself. Auditing at this level may be challenging but has the potential to lead to lasting and significant change rather than superficial actions which management readily agree to.
- Advancing beyond 7 on the earlier scale will require this mindset.
- Do you aspire to this?
Cultural issues can be caused by a range of organisational, process and behavioural factors that internal auditors encounter in their day-to-day assurance activities. The challenge for audit leaders when supervising and reviewing audit papers is recognising them and having the courage to get to the heart of the issue.
According to leading academic, Schein, there are three levels of culture; like an iceberg only a small part is visible with the most significant and powerful levels hidden beneath the surface.
Internal auditors able to identify, evaluate and learn from cultural indicators below the line will be in a good position to influence, provide advice and add value in all assurance activities.
There are often ‘cultural’ findings such as policies not being followed or control weaknesses in the vetting of joiners. Consider recently agreed audit actions…which level have they targeted; the observed/symptomatic behaviour or the theories/root cause?
Adding culture to the audit plan
Organisations that have identified concerns or those with a mature risk outlook and awareness of culture may have a specific or ongoing cultural change programme. It is crucial that internal audit provides independent assurance to its governing body on activities of this nature to ensure that management information is a true reflection of reality.
All internal audit functions should be considering the influence of the pandemic on their organisation, particularly in respect of culture:
- How quickly was the organisation able to react?
- What has been the impact of remote working – did the culture enable or impede?
- Where have weaknesses in the control system been observed?
- Which leadership skills really came into their own – who struggled to cope?
- Have any of the temporary changes been made permanent?
- Did culture form part of the pandemic lessons learnt audit?
You can do this today regardless of where you positioned yourself on the earlier scale.
Defined cultural change programmes aside, there are a number of options available to audit leaders depending on your journey along the scale.
1. Embedding cultural elements in each risk-based audit
Perhaps using a standard survey or a test programme that is easily modified.
Considerations could include alignment of the values and ethics of the organisation with operations, for example, the degree to which:
- Employees are encouraged to be innovative and take risks
- Employees are expected to exhibit precision, analysis and attention to detail
- Management focuses on results or outcomes rather than technique and process
- Management decisions take into consideration the effect of outcomes(targets/results) on the people doing the job
- Work activities are organised around teams rather than individuals
- People at all or different levels are aggressive and competitive rather than collaborative
- Blame is attributed for mistakes rather than learnings taken forward
- Organisational activities emphasise maintaining the status quo rather than continuous improvement and growth
2. Undertaking a standalone audit of culture
This is a big task and should be approached with caution so as to avoid false or misleading assurance. Audit leaders may be able to use the organisation’s cultural framework, if one has been defined, as a basis for engagement planning. It may also be possible to use a recently conducted staff survey as a platform from which to develop an audit scope.
3. Conducting reviews of specific aspects of culture – drivers/enablers
There are many drivers/enablers of culture such as performance management, employee induction programmes and communication of corporate values.
An example of this could be to take one of the organisations values and provide assurance that it aligns with operations. If creativity is an espoused value, internal audit could evaluate how this translates into practice, does it apply equally across the organisation? Some expectations to test could include - employees are given autonomy, there are principles rather than strict rules, informal meetings occur, flexible working arrangements are encouraged and collaboration structures favoured over traditional hierarchies.
4. Performing thematic analysis across completed audit engagements
Identifying where cultural factors (organisational, process, behavioural) have been the main driver for an audit finding and using these to make linkages and join the dots to identify patterns or add weight to subjective opinion. Over time data could be captured in such a way as to enable this to be done using data analytics and artificial intelligence tools.
5. Auditing specific variants of culture
Audit leaders may be familiar with specific cultural elements within the organisation, for example the risk culture or the culture within functions such as human resources, sales or research and development. It may be helpful to provide assurance with a defined boundary to the subject matter, care should be taken to reflect its part within the whole so as to avoid encouraging siloed activities.
Choosing an approach or combination of approaches should take into consideration an honest appraisal of the relationship internal audit has with its governing body, the risk maturity of the organisation, the skills of the internal auditors and a sense of how effective the existing culture is in supporting the organisation to achieve its aims.
- Has this inspired you to do more?
- Which of these are you going to add to your audit plan?
- Why not make an immediate start with assurance related to the pandemic?
As the saying goes, ‘Rome wasn’t built in a day’, likewise comprehensive assurance over the organisations culture is not going to be provided overnight. Looking at the existing audit plan through the culture lens will undoubtedly reveal a host of opportunities for integrating culture into scheduled engagements in addition to considering targeted activity or an audit just of culture.
Supporting internal auditors
Internal auditors have a natural curiosity, a healthy scepticism that is ideally suited for looking beneath the surface of the organisation and into its culture. It is important to be mindful of unconscious bias, internal auditors are employees too; amplifying the professional sensitivity for objective and independent thought can help to mitigate this together with enhanced quality safeguards.
CAEs may want to think about exploring the culture of the audit team itself before embarking on an audit of the organisation; how might this inform understanding of culture and then influence an audit of culture? Does the function mirror the organisation or set itself apart?
Specialist technical skills are not required for auditing culture; significant soft skills, perceptive observation and interviewing are however of paramount importance as is a solid understanding of the topic. In addition, internal auditors must be skilled at managing diverse stakeholders and senior management as there is likely to be debate and discussion when presenting audit findings and defining any actions required.
It may be useful to consider the old adage of two heads being better than one and allocating more than one internal auditor to the engagement. Another option could be to use a guest auditor from the second line, the risk function or compliance, or even a human resources colleague with experience in organisational culture or psychology.
CAEs should also consider their own involvement as they will have gained cultural insights from attending audit committee, board and executive meetings, sitting on project groups and partnering activities with governance leaders.
Internal auditors may need additional guidance and confidence to evaluate soft controls.
Remedial activity for adverse cultural findings cannot be imposed as an audit recommendation; solutions must be developed and fully engaged with by those with accountability for their delivery. The multifaceted nature of culture is what makes it challenging to change. It is a powerful protective mechanism much like the body’s immune system; attempts to alter one aspect can be regarded as an infection which is rebuffed even when it is a positive action. Restructuring DNA is not an easy feat.
Cultural cues can be difficult to spot. Here are some examples to think about…
1. Is the organisation stressed?
- Short-termism taking over, rushed decisions, knee-jerk reactions, deferred governance/audits.
2. Is talking about culture avoided at an executive level?
- Passive management, poor awareness, lack of acknowledgement of value.
3. Do people wait for the most senior person in a meeting to offer an opinion first?
- Be wary of group think, corridor conversations, false agreement. What stops them? fear, lack of confidence/empowerment/competence.
4. Are people ridiculed or admonished for making mistakes? Blame culture
- Impact on innovation, creative thinking, developing new ways of working, talent retention.
5. Have inappropriate reward/incentive schemes been approved?
- Encourage pushy sales, unethical behaviour, fraud, short-term gain, distrust.
6. Is employee turnover high in particular functions or overall?
Learnings from exit interviews, comparable to sector/geography, productivity impact.
7. Do few employees recommend others to join? Unsuccessful referral scheme.
Why not an employer of choice? Employee survey/interviews insights; why is it not a good place to work?
8. Is performance too good to be true? Projects always successful, rapid promotions, perfect scores.
Manipulated targets/outputs, corners cut, misleading internal and external stakeholders.
9. How do new joiners feel after their first week? Corporate induction or left to chance?
- Which stories did they hear? What/who made the biggest impact and why? Will they stay? Was the reality the same as expected from the interview/contract promises-what was different?
10. Tolerance of individuals who breach policy/controls or commit fraud.
- Why dealt with quietly or dismissed as atypical behaviour rather than used as deterrent/learnt from?
11. High absenteeism, long comfort breaks, poor productivity rather than going the extra mile.
- Project overruns, reluctance for overtime, quality issues, inefficiencies, compliance issues? Lack of commitment, staff don’t see the purpose of the organisation, poor examples set by leaders.
12. Underused employee concern/whistleblowing/speak-up process.
- What type of concerns? How managed? Where reported? Is it fair and impartial? Are people protected?
13. People turn up to meetings unprepared, late and fail to actively participate
Lack of respect for others, bureaucracy, procrastination, decision avoidance
- Insufficient budget to invest in people, to maintain and develop skills
Is talent recruited rather than promoted? Does resourcing strategy match business need?
Closing thoughts
Whether you are on a journey to becoming a 5 or a 10 on the earlier scale, you need to be on the journey now. The train has left the station! In times of crisis, organisational culture can be the difference between success and failure; an invisible thread of resilience when people are stretched. Culture is a powerful force. Audit leaders have an opportunity to make a real difference, just like the British Transport Police campaign to engage the public in anti-terrorism “see it, say it, sorted”.
"Corporate culture determines if your strategies, initiatives and mergers will succeed or fail. All organisations have cultures. The only question is, does it shape you or do you shape it?"
Dr Larry Senn, Management Consultant