Internal Audit

Culture Audits: 3 Tips to Assessing Your Corporate Culture

Culture Audits: 3 Tips to Assessing Your Corporate Culture

Culture audits often make internal auditors nervous. The idea of auditing something as vague as behavior sounds confusing when we are used to auditing processes. In this article, we will provide an outline for conducting a culture audit.

What Is a Cultural Audit? 

A culture audit is unlike any other project the internal audit department will perform. While most audits start with a set of risks within a given process, a culture audit revolves around the potential for conduct risk from employees, vendors, and other stakeholders that can impact operations and reputation. Company culture is often the defining characteristic for either success or failure. When a failure occurs, poor workplace culture is often identified as the root cause of the series of events that led to the failure.  

Culture and conduct are highly intertwined. In many cases, a culture audit seems like a daunting task since we are asked to audit something we cannot observe. To understand a culture audit, we need to start with a few basic definitions. In a recent practice guide titled Auditing Culture, The IIA defines organizational culture as “the invisible belief systems, values, norms, and preferences of the individuals that form an organization.” They also define conduct as “the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.” By understanding the connection between culture and conduct, we learn that culture is the underlying driver of conduct, and conduct is the observable outcome from culture.

With this understanding, a culture audit includes reviewing how management’s tone influences employee behaviors and conduct. As we have seen in many examples, observable conduct may differ from the culture management wishes to portray. When Enron collapsed in the early 2000s, its corporate culture was put under the public spotlight. On paper, the culture should have been exemplary, but the reality was a toxic environment of corporate greed allowing fraud to take precedence

What Does a Cultural Audit Include? 

A culture audit includes reviewing both subjective values within an organization and the actual, observable conduct by employees and vendors. Conducting a culture audit can be especially difficult since the audit department itself is influenced by the same culture they will audit. By taking a systematic approach and acknowledging our potential bias, we can perform a meaningful audit. 

A culture audit will follow the same format as any other audit: planning, fieldwork, and reporting. In this audit, there will be a higher than usual emphasis on interviewing and direct observation. Often the culture audit starts with an anonymous cultural audit survey sent to all stakeholders to gain a basic understanding of the culture.

During the fieldwork phase, we start with a review of the culture on paper. The review is meant to establish management’s intended culture or at least how management wants to portray the culture. 

Supporting documentation to review includes:

  • The mission and vision statements, and any values the company states publicly
  • The mission and vision statements, and any values industry peers state (for comparison)
  • Statements about management styles used in recruiting or training materials
  • Backgrounds and bios for senior management
  • Organizational history and origins
  • Statements about organizational goals and direction
  • Code of conduct and ethics

Data analysis should also extend beyond a review of documents. We can see evidence of Company culture in:

  • Hiring and termination trends
  • Wage and pay equity across demographics
  • Use of fair success metrics

  • Responses to incidents such as a data breach
  • Use of tip lines and handling of fraud cases

Taking a consistent approach during the culture audit will make it easier to compare different parts of an organization. Remember, a review of the culture within one region, country, city, or even department within an organization may look completely different from others.  The localization of a bad culture was evident in a well-known scandal at Wells Fargo. An inappropriate metric was set for the number of new accounts bank branch managers needed to open, and the staff resorted to opening fake accounts. The conduct was influenced by a culture of greed that led to setting unrealistic goals.

Why Is a Cultural Audit Important?  

Workplace culture is viewed as one of the most critical factors for predicting overall success. A cultural audit is important because it allows an organization to assess the current state and take corrective actions before unacknowledged cultural issues derail its success. Culture can make or break an organization, and if it breaks there may be no coming back. Not all cultural issues lead to an implosion, but a bad culture, even a localized bad culture, can hurt an organization. 

A culture audit can help management address issues like toxic management, race and gender discrimination, low morale, high absenteeism, low productivity, and high tunrover. All of these findings are symptoms of a bad culture. We can illustrate this using a common example. In a large multinational company that manages multiple brands, there will be a variety of cultures at work. In one segment, management is tasked with increasing revenue even though they are managing a mature commodity product. Management puts pressure on the sales team to increase sales for the year. They enforce the pressure by tying the team’s commissions to an unattainable goal. When sales inevitably do not increase, the sales team is discouraged, and management is irate. When management reports their results, senior management increases the pressure even more in an effort to drive unrealistic results. This scenario is all too common in the corporate world, and leads to many of the symptoms listed earlier. In a culture audit, cultural audit survey results showing low morale, analytics showing high turnover, and interviews uncovering toxic management point to cultural issues.   

Why Corporate Culture Is Important   

It’s no secret that corporate culture has been at the forefront of recent news. CEOs have stepped down, lawsuits have been filed, and audit teams look at more culture-specific audits. However, IIA’s 2021 North American Pulse of Internal Audit suggests that only 4 percent of audit effort is being allocated to governance and culture. With operational, financial, IT, cyber, and fraud all taking precedence, does internal audit have resources to impact an organization’s culture?

A common approach for internal audit teams when addressing potential culture issues is to first send out baseline independent and confidential cultural audit surveys, which can be included as part of ongoing COSO entity-level controls. These cultural audit surveys can be broken down by category into such areas as perceived management tone at the top, management inclusion, company change and innovation, risks taken and governance controls, and knowledge of the code of conduct as well as staff’s knowledge about the whistleblower program. Responses should be reviewed for any trends, and internal audit should follow up and work with management for any identified issues in order to help address.

3 Simple Tips to Assess and Audit Your Corporate Culture

As COSO entity-level controls help monitor culture, internal audit teams also add additional audits to improve company culture. Thus, we’ve added three simple tips to assess and perform your corporate culture audit, so you know where to turn.

1. Perform a root-cause analysis to identify cultural weaknesses

As issues are identified during your various internal audits, evaluate what underlying behaviors, or “root-causes,” contributed to the issues. This step helps you go beyond processes and controls to identify cultural weaknesses.

Performing root-cause analyses can help organizations meet their goals and build a strong cultural tone at the top from management that supports the code of conduct and ethics. Organizations can be successful when they address each root cause, whether it be lack of understanding about internal controls, training, or trust and transparency.

2. Break up the culture audit into more minor focal points

Start small and grow the initiative. Many auditors are hesitant to perform audits of cultural behavior. The results could be taken as a personal attack on management’s tone at the top. The issues might be due to the lack of measurability with some behaviors. If auditing culture is not your specialty, then it may be more effective to perform smaller audits focused on a specific area of your entity’s culture or even a specific department. Here are some ways to start:

Perform audits in areas indirectly tied to culture. 

These types of culture audit often indirectly reveal potential cultural risks. Example audits include T&E, workforce planning, talent acquisition, learning and education, compliance training, and sales compensation.

Create focal points within cultural-specific audits. 

While there are opportunities to address culture in most audits, teams can narrow their focus to critical areas where culture plays a more substantial influence. Start with risk and cyberculture and look at varying tolerances and controls in place to monitor risk.

Find a champion.

Find an executive who supports auditing workplace culture. Define the roles of what internal audit can do to help improve governance. Consider incorporating governance auditing in your internal audit charter.

3. Be patient. Improvements require time, effective communication, and follow-through

A culture audit is not something that’s done quickly. As mentioned before, tone at the top of the organization is critical to success — that also includes having core values that are agreed upon, written, and expressed regularly. Next, employees need to understand the values and receive training on roles, responsibilities, and expectations. You shouldn’t anticipate having all of these values naturally fall into place. There should be a review of current testing practices, positive and critical communication of successes and gaps, and matching controls with the desired behavior. The amount of time required to execute this initiative differs depending on an organization’s time, skills, and resources.

It takes a lot of time to address cultural issues. Internal Audit needs time with management to figure out a path for change. Management is often tied up working on day-to-day functions and may not have time to immediately address all the issues. This is where corporate sponsorship at the Executive level of management and the Board can be helpful in allocating resources and setting the right priority. Most importantly, internal audit needs to be skilled in communicating and elevating any cultural issues requiring change and work with management as a change agent to help make it happen.

First Organization Culture Audit? Don’t Navigate It Alone.

If this is your first organizational culture audit, don’t navigate it alone. Head over to our planning an audit checklist to begin planning your next culture audit.

You Might Like

Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.