David Diamond, SVP and Head of Internal Audit and Compliance for Lionsgate Entertainment, comments on our three tips to auditing culture.
It’s no secret that corporate culture has been at the forefront of recent news. CEOs have stepped down, lawsuits have been filed, and audit teams are looking at more culture-specific audits. However, IIA’s 2018 North American Pulse of Internal Audit suggests that only 4 percent of audit effort this year is being allocated to governance and culture. With operational, financial, IT, cyber, and fraud all taking precedence, does internal audit have resources to make an impact on an organization’s culture?
We recently spoke with David Diamond, SVP and Head of Internal Audit and Compliance for Lionsgate Entertainment, about his experience with culture audits. “Our internal audit team has been addressing potential culture issues over the past 10 years by first sending out baseline independent and confidential surveys - which we include as part of our on-going COSO entity-level controls. Our surveys are broken down by category into such areas as perceived management tone at the top, management inclusion, company change and innovation, risks taken and governance controls, knowledge of the code of conduct as well as staff’s knowledge about the whistleblower program. Then responses are reviewed for any trends and we follow up and work with management for any identified issues in order to help address.”
As COSO entity-level controls help monitor culture, internal audit teams are also adding additional audits aimed at improving company culture. Thus, we’ve added three simple tips to assess and audit your corporate culture so you know where to turn.
1. Perform a root-cause analysis to identify cultural weaknesses
As issues are identified during the course of your various internal audits, evaluate what underlying behaviors, or “root-causes,” contributed to the issues. This step helps you go beyond processes and controls to identify cultural weaknesses.
As David suggests - performing root-cause analyses can help organizations meet their cultural goals. “We have a positive strong cultural tone at the top from management that supports our code of conduct and ethics. We have been successful because we made sure at every turn to address each root cause whether it be lack of understanding about internal controls, training, or trust and transparency.”
2. Break up the culture audit into smaller focal points
Start small and grow the initiative. Many auditors are hesitant to perform audits of cultural behavior as the results can be taken as a personal attack on management’s tone at the top or due to the lack of measurability with some behaviors. If auditing culture is not your specialty, then it may be more effective to perform smaller audits focused on a specific area of your entity’s culture or even a specific department. Here are some ways to start:
Perform audits in areas indirectly tied to culture. These types of culture audits often indirectly reveal potential cultural risks. Example audits include T&E, workforce planning, talent acquisition, learning and education, compliance trainings, and sales compensation.
Create focal points within cultural-specific audits. While there are opportunities to address culture in most audits, teams can narrow its focus to key areas where culture plays a stronger influence. Start with risk and cyber culture and look at varying tolerances and controls in place to monitor risk.
Find a champion. Find an executive who supports auditing organizational culture. Define the roles of what internal audit can do to help improve governance. Consider incorporating governance auditing in your internal audit charter.
3. Be patient. Improvements require time, effective communication, and follow through
A culture audit is not something that’s done quickly. As mentioned before, tone at the top of the organization is critical to success - that also includes having core values that are agreed upon, written, and expressed regularly. Next, employees at all levels need to understand the values and receive training on roles, responsibilities, and expectations. Don’t anticipate having all of these values naturally fall into place. There needs to be follow through of testing current practices, positive and critical communication of successes and gaps, and matching controls with the desired behavior. The amount of time that’s required to execute on this initiative differs depending on an organization time, skills, and resources.
“It takes a lot of time to address cultural issues. IA needs time with management to figure out a path for change. Management is often tied up working on day-to-day functions and may not have time to immediately address all the issues,” says David. “This is where corporate sponsorship at the Executive level of management and the Board can be helpful in allocating resources and setting the right priority.” Most importantly, Internal Audit “needs to be skilled in communicating and elevating any cultural issues requiring change and work with management as a change agent to help make it happen.”
If this is your first organizational culture audit, don’t navigate it alone. Head on over to our planning an audit checklist to begin planning your next audit.
Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.