Home > Audit, COSO, Governance, GRC, IIA, Risk > Assessing the organization’s culture

Assessing the organization’s culture

It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.

Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.

Now, a new report by the Institute of Business Ethics, Checking Culture:  new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.

The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):

“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”

In 2014, the UKIIA published Culture and the role of internal audit.

I strongly recommend reference to both papers.

As usual, I have some concerns.

  • While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
  • There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
  • Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
  • Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.

Does this mean that internal audit should not have a role? No. They should.

This is my preference:

  1. All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
  2. Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
  3. The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
  4. The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.

For a different spin, check these out:

What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?

  1. August 1, 2015 at 10:08 PM

    Risk practitioners generally failed to address the underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

    Every business decision is a RISK decision; what is your level of risk intelligence and how is your Risk Culture?

    For an easy maturity evaluation process, see details here: https://blogs.zawya.com/Risk%20Culture%20Builder/120722113510/

  2. August 5, 2015 at 10:00 AM

    Assessing the organization’s culture

    I approach culture from the perspective of an HR/organization development career, having also worked for some years in the auditing environment of PwC.

    Like you, I believe an organization’s culture has a huge effect on the actions of its board, management and staff. Clearly, culture can be the source of good or ill, especially when the organization’s strategic direction changes significantly and is no longer culture-compatible. When the latter occurs, changing culture can be expected to be exceptionally challenging and to take a long time.

    In my view, the essence of culture is what is shared in people’s minds (beliefs and values) and translated into behavior patterns at the level of groups (i.e. sub-cultures) or the organization as a whole. Among its critical dimensions are whether it is strong (consistently applied and reinforced at all levels) or weak; what parts are overt (talked about openly in meetings) or covert (restricted to private conversations with one’s closest confidants) and, overall, whether it enhances or limits the organization’s ability to succeed.

    In this domain, you have addressed the roles of internal auditors, HR and management, especially the CEO and CAO. I offer my views below.

    Internal Audit: I agree that internal audit should scan for inappropriate behavior, especially related to ethical lapses or excessive (and insufficient?) risk-taking or financial mismanagement, but consider that ineffective supervision and management fall generally under the direct purview of management — and indirectly by HR. Internal audit, while perceiving the results of behavior, are not behavioral experts nor are they positioned to address covert culture which can be one of the more demanding features to tackle.

    HR: The HR function should support a strategy-compatible culture through the training of managers and staff and especially in ensuring the reinforcement of the culture through recruitment, formal and informal surveys and through its performance management and incentives and rewards systems.
    Managers: I believe managers should be trained to monitor how culture is playing out in their groups and also play a key role in culture change, as outlined in an organization’s culture change program, whenever applicable.

    CEO: I see the CEO as the chief culture officer, interacting on it with her/his team, the staff in general and, of course, the board. The CEO who communicates regularly about different aspects of the organization’s culture, offering examples of how it is supporting the achievement of goals, and personally modeling the values espoused, fulfills a key and necessary role. The CEO should provide a regular periodic reading of the culture especially on how key strategic issues are trending. In fact, for a CEO not to do so could constitute a pretty serious lapse in the risk-taking arena.

    Bottom-line, it behooves organizations to have a good handle on their current culture so that they can address needed changes, whether initiated by values, the needs of the market place, structural adjustments or even a merger.

    • Norman Marks
      August 5, 2015 at 10:08 AM

      Excellent comments – thank you

  3. Steven Strammello, Crowe Horwath
    August 6, 2015 at 10:42 AM


    good thoughts and great topic. One observation I have noticed is that culture evaluation is often shortchanged and organizations are either deemed to have a “good” culture or a “bad” culture. Similar to the observation of NHS having multiple cultures, each organization’s culture is different…sure some are really good, and some are clearly really bad, but most are somewhere in the middle. The point is each is unique and understanding what makes a culture unique, and the implications those unique aspects have on risk management, is where the awareness pays dividends. Seems to me it is Senior Management’s responsibility to establish the desired culture and to drive it through leadership. Human Resources’ responsibility is to periodically assess culture to ensure it is aligned to the desired state, and to help senior management drive the culture. Internal Audit’s effectiveness is improved with it understanding the unique aspects of an organization’s culture, and embracing the impact that has on the behaviors, actions and incentives throughout an organization. It’s so challenging through, when that knowledge and insight doesn’t quite translate into a work paper, control matrix, or finding and recommendation template.

    Thanks for your leadership on the topic. It’s an important one.

  4. Peter Goldmann
    August 8, 2015 at 11:13 AM

    IA should definitely have a role in assessing culture. But it should do so independently. Because culture is usually set at the C-Level they should not be part of the assessment process. Nor should mgmt in any way compromise IA’s autonomy–same as with audits. Unfortunately this is often easier said than executed

  5. August 18, 2015 at 3:23 AM

    The culture of the Organization shall be simply assessed by the level of commitments from the employee side and the presence of blame culture and the investments from the management to manage the risks etc . Improving the safety culture really requires the best consultation programs among the employees and possibly better commitment from the management

    Thanks for the Best post



  6. August 31, 2015 at 6:49 AM

    The best ethics audits are done by ethics practitioners with fresh eyes and training specific to this function – and those have been taking place in progressive organizations for over 20 years. I think Internal Audit can play a strong role in evaluating trends between external audits – just as it plays a role in financial controls between external financial audits. I would never suggest HR lead as in many ways an ethics audit is assessing the impact of HR’s work. Having them lead that assessment would be like having your CFO function as your external financial auditor.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: