The human factor: Auditing culture

The cost of misunderstanding or, worse, covering up problems with corporate culture can be heavy – as the BBC discovered when Lord Dyson’s report uncovered evidence of deeply rooted failings in the corporation. Their problems began with a journalist faking evidence to secure an interview, but the report revealed obfuscation and denial by senior managers and victimisation of whistleblowers over many years. Shortly after this, the Metropolitan Police faced accusations that senior officers have concealed corrupt practices dating back to the 1980s.

These are just the latest examples of how neglecting to tackle even minor indications of cultural problems at source can cause issues at multiple levels and lead to reputational and financial damage years later. No organisation is immune – the financial services sector and car manufacturers have been affected, but so have the NHS and care homes. Lord Dyson’s report explicitly condemned the BBC’s corporate governance, indicating the way in which culture goes to the core of what an organisation is, what it does and how it is perceived – and makes it a critical risk for internal auditors.

Times of disruption and rapid change have a long-lasting effect on culture, which means that organisations should be on their guard now. What will moving jobs out of offices and furloughing or laying off staff mean for corporate culture? How can internal auditors, themselves working remotely, identify cultural issues, and how can managers address them?

Such questions are pertinent, because it seems that many organisations were not doing enough to assess corporate culture before the pandemic. In its annual review of company reporting last November, the Financial Reporting Council (FRC), the UK’s corporate governance regulator, complained that “only a minority of companies set out in detail how they plan to assess their culture beyond the use of surveys and site visits”.

This suggests that, in a year with few site visits, many organisations will lack critical cultural information just at a time when culture may be altering significantly. Employees, including internal auditors, have been hired and inducted virtually and have never sat with their team or attended a physical meeting. Managers have had to find alternative ways to help teams bond and share experiences – using virtual pub quizzes and informal chats on Zoom or Teams – and to communicate and feed back performance reviews and guidance.

Instilling, creating and assessing a strong culture has, therefore, become more problematic, just when it is also being perceived as a greater risk. It is not just the regulators who are concerned; investors are also increasingly interested in whether companies report meaningfully on their culture, and the detail they provide in their disclosures.

“The days when companies could make a one-line statement that they take corporate culture seriously are over,” says Elizabeth Ross, associate managing director, business intelligence and investigations, at consultancy Kroll. “Investors want to know about recruitment and talent management policies, succession planning, diversity, how ethical business policies are agreed, communicated and enforced, and what kind of third-party due diligence they conduct on their supply chains, particularly around new suppliers.”

The pressure on boards to report on cultural risk means that they are looking to internal audit to provide assurance that the information is available and reliable. One senior internal auditor in the financial services sector says there is a “huge” expectation that internal audit will audit culture and provide assurance around it.

In addition, she believes boards and regulators are increasingly interested in the process that internal audit uses to review organisational culture. “It is not enough for companies to report what they are doing,” she says. “Organisations now need to disclose how they are doing it. Boards – as well as regulators, investors and other stakeholders – want to know how culture is being monitored, assessed and reported internally.”

Core issues

To check whether the organisation is living up to its cultural expectations, internal audit should check “core” issues including “tone from the top”, remuneration policies, performance management reviews, risk appetite policies and statements on company ethics, explains Liz Sandwith, chief professional practices adviser at the Chartered IIA. It is vital that internal audit also understands the key drivers behind culture, such as leadership, strategy, corporate responsibility, risk management and people management.

Ideally, culture should form part of every audit. Internal auditors should combine findings from all relevant audit engagements in an annual or half-yearly report to the audit committee, highlighting areas where culture is miscommunicated, misaligned or misunderstood. There are a couple of advantages to this: it breaks the work into chunks and enables better resource planning, and it shows that the audit work on culture is continuous and that the findings are not just “a snapshot in time”.

The way in which internal audit reports findings on culture to the board is also important. “It is not internal audit’s place to say that an organisation has the ‘right’ culture. An organisation’s culture is set by the board: if executives want a certain kind of culture, that is their decision,” Sandwith warns. “Internal audit can provide assurance around the message from the board, how it is communicated via policies and procedures, and whether employees adhere to these.”

Internal audit should also be explicit about the board’s desired culture, so they can contrast that vision with the reality and provide evidence about whether it is understood and adhered to.

Matthew Weitz, associate managing director, business intelligence and investigations, at Kroll, believes that internal audit should be actively pushing culture up the risk agenda. However, he adds that auditors needs access to the same information as management and the skills to turn this data into realistic, practical recommendations.

“If not, how can the board gain assurance that everyone is doing what they are supposed to be doing in the way the company wants it done?” he asks. The most effective reports break down the risks and provide practical steps for controlling them that are realistic and prioritised around levels of risk and the resources needed to implement them.

Broad sweep

Fortunately, internal audit is not alone and can tap into many sources of cultural information and assurance to support its own findings. An obvious contributor is the HR function, which has evidence around induction and exit interviews, performance reviews and appraisals, rewards and incentives, staff surveys and disciplinary meetings. IT has data on cyber training and the behaviour of those using the company systems – for example,log-on and log-off times may be useful to see whether people are working long hours, or to spot changes to working times or patterns.

A change in the number, or nature, of calls to a whistleblowing hotline, or a rise in staff complaints, is relevant, as are customer service records, social media reviews and comments about products or services. Operational data, such as rates of equipment failures or losses, may be relevant. Such data can be monitored routinely using analytics software.

Cultural problems can also be as great in omission as in commission – repeated lack of action around, for example, rule bending, or a common perception that there’s no point complaining about a particular manager or issue can leave little evidence, but could have a lasting effect on morale and actions. Similarly, bullying behaviour or a culture that discourages diversity and inclusion may not immediately appear in any data, but could harm teams, reputation and performance.

Such issues are hard to spot and require internal auditors to use imagination and empathy as well as strong communication skills. Awareness of possibilities and acute listening skills are essential: What are people not saying? What are they avoiding? What things would you expect to hear that you do not? What is the “atmosphere”? Is there an elephant in the room no one mentions?
New challenges

The challenges of the past year will have cultural consequences. People in different roles and levels in the same organisation have been affected in multiple ways, causing new sources of tension. Opportunities and incentives have changed, prompting behavioural shifts. Some  beliefs have been shaken, affecting trust and loyalty. These changes need to be understood.

Internal audit must adapt the ways it monitors culture, but much is possible even working remotely – staff emails and communications still go through company servers, while whistleblowing hotlines, social media forums and other communications are unaffected. Many line managers say they have more regular contact with their teams than they did in an office. Some also believe they have greater insights into the lives of the people who report to them because they see them at home, asked them questions when setting them up to work remotely and because staff welfare has been prioritised in lockdowns.

However, there are limitations to Teams and Zoom – it’s easier to miss subtle indications of tensions or concerns if you cannot see how people interact in their normal working environment and you miss the informal chats walking to a meeting or waiting for coffee to brew.

“I love and hate remote working in equal measure,” says Adrian Herbert, group head of internal audit at The Ardonagh Group. “I love the efficiency, but I hate the lack of personal contact. It’s more natural to meet someone face to face and you are more likely to pick up subtle nuances; you have to watch harder to spot the signs you’re losing the room in a presentation and it can make it harder to establish a rapport.”

Organisations used to operating across multiple sites may have found it easier to maintain a consistent corporate culture in the pandemic, but they are not immune to ongoing changes as employers move from being wholly office-based to more flexible labour patterns. Internal auditors “can play an advisory role looking at the processes involved in any culture change programme that takes into account these new ways of working and employee expectations,” Sandwith suggests.

And the pandemic is not the only force driving change. Andrew Gascoyne, head of internal audit at Allianz Insurance, says his organisation has set an environmental target of cutting travel by 50 per cent on last year, so, even without Covid restrictions, internal auditors will need to gather their intelligence in new ways.

“We’ve adapted processes and got smarter about getting data and documents, but the cultural element of not being in the places you’re auditing physically will have a longer term impact. There’s nothing better than actually sitting with someone, chatting and understanding the environment they’re working in,” he says. On the plus side, it can be easier to set up virtual meetings at short notice than physical ones and you can introduce more regular updates for auditees – as long as you don’t overload people’s diaries, he adds.

Internal audit can rise to the challenge of providing more – and better – assurance on culture, but it must keep pace with new ways of working to ensure that innovation does not destroy that precious commodity – trust.

For more information, the Chartered IIA runs a course on How is Culture Changing with Covid-19.

This article was published in July 2021.