Assessing the organization’s culture
It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.
Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.
Now, a new report by the Institute of Business Ethics, Checking Culture: new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.
The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):
“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”
In 2014, the UKIIA published Culture and the role of internal audit.
I strongly recommend reference to both papers.
As usual, I have some concerns.
- While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
- There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
- Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
- Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.
Does this mean that internal audit should not have a role? No. They should.
This is my preference:
- All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
- Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
- The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
- The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.
For a different spin, check these out:
- What are the most common organizational culture problems?
- 3 Cultural Problems That Cause Good Employees to Go Bad
- 7 signs your organization has a toxic corporate culture
- Risk Culture (Institute of Risk Management)
What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?