A very interesting article published recently in Audit & Risk tackles some of the issues surrounding the Auditing of Culture which is becoming increasingly high up on Audit committee agenda’s. Alexander Glebovskiy CIA, CFE, CRMA addresses what to look for and how to measure something as nebulous and intangible as culture.
In 2014 the Prudential Regulation Authority (PRA) published its Statement of Policy addressing serious failings in organisational culture, while the Financial Conduct Authority (FCA) responded to the special measures proposal of the Parliamentary Commission on Banking Standards for tackling serious failings in firms. The regulators were sending a clear message that organisations need to rigorously pursue deficiencies in their corporate climate and standards of behaviour. This poses a challenge for internal audit to develop audit approaches and methods that will help them thoroughly investigate and scrutinise organisational culture.
It is pertinent to ask whether the auditing of culture is really “new”, or whether it has always been considered within the scope of internal audits. Auditing some cultural aspects has regularly been embedded within reviews of incentives, remuneration and staff appraisal systems – usually within an HR audit. Some cultural elements are also covered in audits on corporate governance, risk management and compliance. Such audits, however, are unlikely to conclude that a culture is poor, strong, appropriate or inappropriate to support the prudent management and governance of a company.
The auditing of culture involves different layers spread across the business and audit universe and, consequently, needs to be audited as a whole. Culture is a multi-dimensional area with both conscious and unconscious aspects, rational and irrational components. Auditors need to take a holistic approach and cannot draw a final conclusion from a single point of view.
Methods and approaches
Culture really matters since it can be both the root of problems and an engine for corporate success and competitive advantage. It is an intangible asset, yet intangibles can be transformed into visible value for the company in the form of corporate agility, innovation, know-how, staff morale, brand reputation and image. In making organisational culture auditable, internal audit is at the beginning of a long expedition to find an optimal approach to auditing culture. The key challenge is how best to gather evidence to demonstrate that the corporate atmosphere and environment are appropriate, and ethical values are being incorporated at every level in the organisation.
Internal audit is adept at assessing the design and performance of hard controls such as policies, guidelines and authorisation limits, delegation authorities and so on; but finding appropriate and reliable metrics and mechanisms to evaluate and assess abstract attributes relating to culture, conduct, rituals and habits is more complex. It might, therefore, be sensible to consider less orthodox methods for this. Using additional tools such as market research, questionnaires or peer reviews could bring to light additional findings that the standard audit check-and-test techniques may not.
So, for example, it could be useful to interview all new starters, who have not yet fully adapted to your organisation's standard routine. Newcomers could be a valuable source of information as to what appears to be good practice in the organisation and what could be improved upon.
Interviewing leavers to get their views on and experience of culture would provide further information. Some organisations already perform these interviews and may only need to refocus some questions. In those that do not, internal audit should suggest that human resources put this in motion.
Another question is whether organisations already carry out an internal staff survey which gathers employee opinions on leadership, management attitude and organisational values. If this already exists, internal audit can investigate whether management takes the results seriously and uses it to identify improvements, or whether it is too often ignored. Similarly, an “outside in” view could be gained by conducting an external survey among suppliers, business partners and customers. Again, if these do not exist, internal audit could recommend that the surveys be introduced.
Analysing customer complaints can also reveal cultural issues, both in the nature of the complaints themselves and in the ways in which complaints are handled. The manner in which organisation deals with internal grievances raised by staff also provides further significant insights into its cultural environment.
Internal audit should also consider whether their business creates and maintains an environment in which employees feel safe to challenge management decisions and to speak up if they think something is wrong, without fear of reprisals. The culture of a business can be identified not only by the conversations that take place regularly, but also by those that do not. Internal and external communication can provide useful evidence of organisational culture. Does your organisation promote an environment of open communication and effective challenge? Do decision-making processes encourage a range of views, stimulate a positive, critical attitude among employees and promote open and constructive dialogue?
People have a natural tendency to block out unpleasant matters, so it is worth looking at how the company and management react to unpleasant situations. Is there a culture of blame and do managers quickly try to find a bad apple to blame when things go wrong? Or do they create a culture of failure and perform a thorough analysis to get to the bottom of the problem and understand the cause of the issue.
Internal audit should also look at the organisation's reward and performance management systems – who is being promoted and rewarded, who is seen as the “best” employee and why (and who has been dismissed and why).
Some companies have established an advanced incentives system for senior management, with a compliance reward where one of the bonus elements is linked to compliance and internal audit findings and how they cooperate with these two functions. This can be a valid indicator of how businesses embrace and respond to recommendations from the second and third lines of defence, and whether corrective action is implemented rapidly or postponed until it becomes obsolete.
In addition to this, internal audit could analyse decision-making processes in the company by looking for any past incidents related to the atmosphere and conduct rules set at the top of the organisation. One example could be if a senior member of staff deliberately chose to pursue a good commercial result, even though the decision was seen as unethical. The pressures for this kind of choice are obvious; however, there are companies in all sectors that successfully combine the highest performance with sound ethics.
To audit organisational culture, internal audit needs to look at a wide range of information to build a picture by joining the dots. From the outset, it is essential that the audit team has the political support it needs to create potential change. The auditors also need to manage the expectations of stakeholders about what is likely to emerge as a definite finding with firm recommendations and what is more likely to lead to indications and general trends that might require more analysis before any actions can be suggested. Last but not least, it is also important that internal audit identifies the positive elements of the current culture that should be kept and reinforced in future.
The auditing of culture is not an exact science and many questions remain about how to demonstrate that any culture requires improvement. The methodological approach for this audit is likely to change in time to include more evidence. Until then, gut instinct combined with quantitative findings from standard audits and new auditing techniques will have to be the basis of cultural judgements. However, the focus of regulators on corporate culture makes it clear that this is not a fad and there is a tangible correlation between an optimum corporate environment and the ethical conduct of management and organisations.