The Institute of Internal Auditors (The IIA) has recently highlighted the need for auditors to assess organizational culture, but there is very little guidance on how to accomplish the task. At first glance, culture may seem like just another risk factor to consider in a governance audit. On the other hand, auditing culture could be seen as the basis for the entire audit plan. Our job is to figure out how to incorporate some element of culture into our work load while not getting so mired in the details that all of the other audit work suffers. We must also deal with the subjective nature of conducting a culture audit and the unique challenges associated with reporting any uncovered issues. In this first installment, we will define what the term culture means to us as auditors. Subsequent discussions will cover an approach to performing the audit, as well as an exploration into the unique challenges that can arise from a culture audit.
Just like we do with any new audit, we need to start by understanding the general topic. The first hurdle is understanding what is meant by the term “culture” before we can begin to audit culture in our own organizations. To begin, compare the textbook definition to a real-world definition.
The textbook definition, taken from a college text on organizational behavior1 states that culture is a “Shared social knowledge within an organization regarding the rules, norms, and values that shape the attitudes and behaviors of its employees.” As expected, the definition references formal rules, but also mentions attitudes and behaviors, which auditors do not typically discuss.
For a real-world definition, we can look at quote from Norman Marks, a frequent contributor to the audit conversation through The IIA. Marks explains in a recent blog2 that “All observers have their own interpretation of what the term "culture" means. It is commonly interpreted as "the way we do things around here”.” By thinking of culture as “the way we do things”, we can expand our base definition that includes attitudes and behaviors to also encompass the processes we follow.
With these two definitions in mind, our audit approach to culture includes:
We should also consider the last two words to the quote from Mr. Marks. He said culture is "the way we do things around here”. Culture can vary wildly across an organization. Of course we can say that senior management sets the tone of an organization, and that the tone at the top will permeate to all of the lower echelons. In reality, that tone will be interpreted by managers and by the individuals under the managers, and it will be filtered through regional and geographical bias.
Results from the most recent Pulse of Internal Audit3 survey, conducted by The IIA, backs the idea that organizations have many factors influencing culture. In the influencing factors they identified, behavior modeled by executives and behavior modeled by other employees ranked as #1 (55%) and #4 (3%), respectively. This shows clearly how differences in behaviors between the ranks of an organization can impact its culture.
Culture cannot ever be truly defined in terms of a single, overarching organizational tone. Each region, each business unit, each department, and each team will have a different culture. So when we look at culture from an audit perspective, there is no one audit that we can perform that will tell us anything meaningful about our organization’s culture. We need to consider culture every day, on every audit.
The idea of a continuous culture audit is supported by a recent paper from The IIA titled Auditing Culture – A Hard Look at the Soft Stuff4 . The paper said that “Auditing culture must be incorporated into every audit engagement, providing the organization with a baseline for continuous monitoring and enabling internal auditors to look for early warning signs.”
In the next installment, we will outline a strategic approach to auditing culture.
1 Organizational Behavior: Improving Performance and Commitment in the Workplace – Colquitt, et al.2A new report provides insight on organizational culture - Norman Marks32016 North American Pulse of Internal Audit4Auditing Culture – A Hard Look at the Soft Stuff
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.