Internal auditors face an uphill climb when it comes to auditing corporate culture
The Financial Crisis of 2008 cemented what many risk management experts have known for years: You can have an army of risk managers and all the sophisticated risk-management models and tools you like, but if there is something wrong with the culture of the organization and what we all now call the “tone at the top,” they won’t work. That was clear at Bear Stearns and that was clear at Lehman Brothers.
Since then, risk managers, internal audit leaders, and governance gurus have tried make a stronger connection between culture and tone and risk management. What was once thought to be a squishy art better left to the feel-good folks in the human resources department is slowly becoming a hard science with monitoring, measures and metrics, and an emerging literature and research.
As part of this evolution, more companies are asking internal audit to play a role in measuring, monitoring, and improving their culture. Indeed, in a report issued earlier this year called “Time to Move Out of the Comfort Zone,” the Institute of Internal Auditors suggested that auditing organizational culture was among the top challenges that internal audit needs to address. “High-profile scandals and organizational failures that have littered the landscape over the past year point to the critical role of culture in the governance of organizations. Unfortunately, only 42 percent of survey respondents are addressing the culture in their organizations," the IIA wrote in its report.
Is it Measurable?
Among those companies, according to the IIA survey, that don’t audit organizational culture, just 45 percent even agree that internal audit is able to identify and assess measures of organizational culture. That means many internal auditors still view culture as a nebulous element that is too difficult to distill out of the ether and put some meaningful quantifications around.
That’s easy to understand. After all, culture doesn’t really exist on paper in the policies, procedures, codes, and standards a company writes, but in how its people interpret them along with other signals and incentives, and the actions of upper management. Those are harder things for an auditor to put his or her finger on, nver mind assessing them and providing some level of assurance that it is working as intended.
“I think that there are two ways to audit corporate culture. One addresses the codified culture, and involves looking at the management reporting and structure processes,” says one internal auditor at a health care company. “This can be validated for compliance with documented management controls. The other is extremely subjective and is a rabbit hole. It can only work in an environment where management is very self-aware and open to feedback. It can be effective under optimal conditions, but those optional conditions seldom exist.”
He makes a good point and one that the IIA acknowledges: “Lack of management and board support for internal audit’s involvement with culture, and lack of internal audit’s ability to identify and measure organizational culture, are closely associated with internal auditors avoiding this risk,” it writes in the report.
Getting that support won’t be easy, but it’s important for internal audit to push for it. One of the ways to do that is to demonstrate expertise on connecting culture to risk management. For the C-suite and the board to become receptive to the idea of involving internal audit in addressing issues around culture, they must first be convinced of its role as a key element in the control environment. With the many scandals, including Toshiba, VW, Valeant, and others that point to a toxic culture, connecting those dots should be a lot easier.