It is impossible to deal with all the nuances of this complex web, but we don't have to. Internal audit's goal, as I said in my previous installment, is to provide stakeholders insight about the culture and to continually enrich their understanding of it. We do need to be aware of the complexity of culture to avoid jumping to conclusions on limited evidence.
There are no agreed upon criteria for what constitutes a good culture.
The first researchers who studied organizational cultures tried to identify the characteristics of a good culture. Today, the general consensus is that there is no universally "right" or best culture. For example, a venture capital firm takes big risks for potentially big rewards, whereas a commercial bank should have a more balanced approach. Likewise, an internet startup may be almost completely focused on innovation, while an established internet service provider might be more conservative.
Cultural variations will even exist within the organization. Finance could have a more conservative culture, while the sales team's culture may be considerably more aggressive — both within limits, of course. That said, there is probably a "right" culture for each organization — the culture that will best help achieve its strategy and business objectives. The organization's strategy can be the starting point for internal auditors in dealing with this challenge.
Managers create subcultures within their spheres of influence.
These subcultures will often be appropriate, as in the example of finance vs. sales. But if they fail to align with the culture adopted by the organization at large, subcultures may be problematic.
While the multiplicity of subcultures can be challenging, it also presents an opportunity for internal auditors. Inconsistency between a subculture and the desired culture often creates risk, and business leaders need to be aware of it.
Before reporting these inconsistencies to higher levels, internal auditors should work with local managers to help resolve them. To help prevent managers from becoming defensive, auditors could try showing them evidence of the problem rather than just stating that a problem exists. That way, managers learn about the problem by seeing the inconsistencies for themselves. Although not always successful, this approach often works with well-intentioned managers who want to improve. When it does work and the risk is not severe, internal audit can monitor the resolution informally in a positive, collegial manner and may not have to embarrass the manager by reporting it to higher levels.
Management and the board rarely define expectations for the culture.
Ideally, expectations should be defined across each part of the business and include observable behaviors that illustrate consistency with, or variance from, the desired culture. Internal audit would then have specific criteria to audit against.
To deal with undefined cultural expectations, some internal audit functions use a published culture model, tailor the cultural drivers to their organization, and agree it with management and the board. The effectiveness of each driver in helping the organization achieve its objectives becomes their criteria.
Many, if not most, organizations have at least four or five stated values. Although general, these values can sometimes serve as criteria to audit against. One telecom company, for example, had a value of achieving work-life balance for its employees. While auditing a large project, the internal auditors observed people working 60 to 80 hours a week due to unrealistic targets and poor project leadership. After internal audit reported this finding to management, the CEO took prompt action to rectify the situation because it violated a value he believed in.
Cultural inconsistency exists within the extended organization.
Few organizations today are self-contained. They have outsourced functions, suppliers, joint ventures, global operations, and so on. These third parties create risks for the organization, and cultural inconsistencies can magnify those risks.
Internal auditors can help the organization come to grips with this challenge by finding out what, if anything, the organization is doing to address it and assessing whether those measures are sufficient. For example, I know of two organizations that require third parties to give them a report each year explaining how they conform with the organization's values. One of them meets with each third party to discuss the report, and those meetings are considered the most meaningful part of the assessment process.
Employees are the best source, with a few caveats.
In my first installment, I proposed three principles for auditing culture, one of which is that an organization's culture exists in the perception of its employees. But finding out what employees really think of the culture can be difficult. Here are a few of the challenges.
They might not be fully candid. Employees may hesitate to say negative things about their work environment to an auditor, fearing retribution if it gets back to their superiors. Dealing with this challenge depends on the situation.
In a small organization in which auditors are trusted, a personal guarantee of confidentiality might be enough. At the other extreme is an anonymous employee survey, administered in a way that makes it physically impossible for anyone in the organization to know who said what.
Internal auditors may not always be able to fully convince employees that an online survey is anonymous. One public sector audit function that contends with this issue devised an in-person, group method of collecting information, tailored for its unique circumstances. The department reviews other agencies believed to have serious problems, heightening the potential for mistrust. To help maximize candor, the auditors gather employees in an auditorium with no managers present and ask them to complete hard copy surveys. The employees then pass their completed surveys to the end of the seating rows, and the auditors collect them with no way to know who completed each one.
Most audit departments fall somewhere between these extremes. They have to find the right balance, keeping in mind that the more they know where information comes from the better they can follow up, but with less actual or perceived confidentiality.
They may have cultural "blind spots." A common definition of culture is "How we do things around here." When people join an organization, they want to fit in. They tend to accept the way things are done, assuming there must be a good reason for it — even if it doesn't seem quite right to them at first.
To deal with this challenge, internal auditors can apply their fresh perspective and broad knowledge of the organization to each audit. They are well-positioned to identify cultural inconsistencies that employees might not be aware of.
They may be subject to cognitive bias and groupthink. By one count, behavioral economists have identified 188 cognitive biases that hinder effective decision-making. Knowledge of cognitive biases will help internal auditors address them. Jeff Desjardins, founder and editor of Canadian media and news firm Visual Capitalist, identifies a sampling of biases relevant to the business world in his article, "18 Cognitive Bias Examples Show Why Mental Mistakes Get Made."
Groupthink can also obscure organizational culture. It can infect workshops, focus groups, or similar assessment forums. Facilitation skills should include the ability to recognize and counter groupthink. Also, auditors can use interviews or surveys instead of, or in addition to, group-oriented techniques.
Internal auditors may have their own blind spots and biases. When auditors conduct surveys, interviews, and workshops, they bring their own baggage to the table. Auditors should be mindful of their potential to influence the assessment process or misinterpret results. One technique that might help is to have one or more "challenge sessions" during an audit, in which a more experienced auditor, independent of the audit team, meets with team members to challenge their thinking.
Clients' response to the results will be influenced by the culture. This may be true of the overall culture or the subculture created by a manager. Whether preparing to deliver initial verbal reporting on an issue or the final written report, internal auditors should consider how culture might affect the client's response and plan accordingly.
For example, in a company with an aggressive sales culture, managers might be successful in the short term by driving employees to meet unrealistic targets. In doing so, they create a highly stressful, even toxic environment. Neither local nor senior management in such an organization is likely to welcome a recommendation to lower the targets and, in turn, the pressure. Providing concrete examples of the long-term harm this environment has caused in some parts of the organization or in other organizations (like Wells Fargo) would not guarantee success but would make acceptance more likely.
Internal auditors experienced in culture audits have likely encountered at least some of these challenges, as well as many others. But for those just starting, or about to start, being alert to culture-related challenges can be critical to success. As daunting as auditing culture may seem, internal auditors who have the courage to meet these challenges usually find the assurance value gained is well worth the effort.
Read the other articles in Jim Roth's series on culture: