In the previous two editions of Short Reads, we looked at how corporate culture and ethics serve as a strong foundation of a resilient, high performing organisation. We also looked at the expanding role of internal audit in cultural oversight. In this last article of the series, we will delve into the effective approaches and practical steps for auditing culture.
Assessing culture requires a multi-faceted approach:
Leverage Available Resources: Review employee engagement surveys to measure job satisfaction and predict performance.
Supervise Auditors Closely: Prevent false conclusions from subjective material.
Secure Support: Gain the support of the board, the Audit Committee, and Executive Management.
Make Two Separate but Possibly Interdependent Decisions: Determine the best combination of tools and decide how to approach the culture aspect of the audit.
Train the Staff: Ensure auditors are well-equipped to assess culture-related risks.
What to Audit?
Many considerations can be taken into account when auditing culture. The internal auditor should ensure that the culture aspect of the audit is tailored for the organisation and focuses on its specific environment, opportunities, and challenges. Examples include:
Satisfaction/Opinion Considerations: Employee observation of misconduct, employee perception of peer environment and culture, belief in a strong tone from the top, perception of the compliance and ethics program, and survey results.
Training: Existence of a comprehensive training program, frequency of training, and effectiveness assessment.
Compliance: Protection of whistleblower status, frequency of legal problems, number of risk and control problems identified, and timeliness of corrective actions.
HR Practices, Incentives, and Enforcement: Frequency of negative media coverage, consistency of penalties for policy violations, handling of honest mistakes, employee turnover, and exit interviews.
Planning the Culture and Ethics Audit
Performing the Engagement: Choosing the Right Auditing Approach
There are three primary approaches to auditing corporate culture and ethics:
This approach involves considering culture risk factors in all audit engagements. By embedding cultural aspects into the overall audit process, internal auditors can provide a comprehensive view of the organisation's culture, rather than treating it as a separate or standalone audit. For example, when auditing the talent acquisition process, auditors can integrate cultural risk factors such as management's refusal to acknowledge contrary information, inflexible hierarchy, and attitudes of hubris.
This approach focuses on specific areas of concern or high-risk areas within the organisation. Auditors may select key processes and controls related to culture, develop an audit program, and perform targeted testing on the selected areas. This testing may be supplemented with interviews of a sample of employees to assess culture. For instance, auditors may review employee surveys, performance review documents, and complaint management processes to assess the organisation's culture. They may also examine performance review documents for assurance that disciplinary actions are invoked as outlined in the organisation’s code of conduct, employee manual, and/or compensation policy.
This hierarchical evaluation starts with top leadership and cascades through all organisational layers. It emphasises the role of senior management in setting the company's tone and ensures that core values and ethical standards are upheld. For example, a global bank may blend all three approaches to perform a comprehensive top-down assessment of its culture. This involves distributing questionnaires to employees at all levels, integrating questionnaire information into all engagements, and involving senior management in assessing internal fraud risks, harassment claims, risk management, compliance, compensation, and sales practices.
Reporting and Communication
Effective communication of audit results is essential. Internal auditors should develop a final communication that includes objectives, scope, recommendations, and conclusions. This communication should be clear, objective, and tailored to the organisation's specific context. Internal auditors should also consider best practices such as:
Adherence to Standards: Apply appropriate standards and principles, use insightful interview techniques, focused investigation procedures, and objective evaluation.
Building Credibility and Trust: Encourage open participation from employees through effective communication, especially with management in troubled areas.
Understanding Organisational Values: Develop a deep understanding of the organisation's values and expected behaviours, involving internal audit staff and other relevant disciplines like compliance and ethics.
Cultural Indicators and Root Cause Analysis: Focus on cultural indicators and conduct root cause analysis to identify why issues occur and how they drive undesirable behaviours.
Culture is a powerful force—either a driver of success or a catalyst for risk. Auditing culture isn’t about box-ticking; it’s about ensuring that an organisation’s values aren’t just words on a page but a lived reality. By proactively assessing cultural risks, Internal Audit can provide the Board and leadership with the insights needed to build a stronger, more ethical, and ultimately, more successful organisation
This article is the final one from a series of three on the topic. The first article gave a generic overview of the auditing corporate culture and ethics, while the second article delved into the internal audit’s expanding role in cultural oversight.
Reference: Auditing Culture, 2nd Edition, Global Practice Guide
Contact us
