The single piece of advice I offer internal auditors more than any other is to “follow the risks.” If internal auditors follow the risks, they enjoy a much greater likelihood of allocating scarce internal audit resources where organizations are most vulnerable. Simply put, following the risks positions internal audit to not only protect value but to help organizations realize value. Yet, there is one risk to which internal auditors remain apprehensive of directing their attention — their organizations’ culture.
It isn’t just internal auditors who are hesitant when it comes to culture. Organizations’ leaders are also not consistently recognizing the level of risk created by culture. Whether from uncertainty about how to proceed, apprehension about what they’ll find, or a lack of understanding of culture’s connection with strategic business risks, most organizations and the internal auditors who serve them lack maturity in assessing culture risk.
In truth, no organization can afford to ignore culture’s extraordinary impact — on employee engagement and well-being, organizational value and performance, competitive advantage, innovation, overall economic growth, and so much more. It’s time for internal auditors to lead the way in showing their organizations why culture matters and how we can measure and monitor its impact to uncover issues before they grow into potentially catastrophic culture failures. That begins with identifying and monitoring the key culture risk indicators (KCRIs) that matter in your organization. As Cynthia Cooper and I wrote in the introduction to AuditBoard’s 2023 Organizational Culture and Ethics Report: Internal Audit’s Role in Unlocking Culture as Catalyst and 21st-Century Differentiator, “You cannot manage what you do not monitor. Boards and executives cannot know how healthy a culture is — or is not — without actually assessing it.”
Demystifying Culture and Culture Assessment
Nearly every part of the organization impacts culture, and conversely is impacted by it. Organizational culture is, as Charles Handy famously expressed, “the way we do things around here.” It is a complex phenomenon founded on the shared mindsets, behaviors, principles, and values and individual decisions that drive action and purpose in an organization. It is also the personality and moral fabric of an organization — the glue that holds everything together.
There is no one-size-fits-all culture, and every culture has both weak and strong aspects that evolve over time. To detect early warnings of culture weaknesses, vulnerabilities, or failures, internal audit can help to identify and monitor the right aspects of culture to adopt as KCRIs. Assessing culture requires determining which KCRIs matter most in your organization and creating metrics that can be monitored over time. While most organizations are not yet tracking these types of metrics, they are essential for understanding, assessing, and managing organizational culture. A good place to begin is by looking at the KCRIs that matter in any organization.
AuditBoard’s 2023 Organizational Culture and Ethics Survey asked more than 350 internal audit leaders across industries to identify the top five culture risk indicators in their organizations. The chart below showcases the highest-ranking results, all of which are crucial for any organization to understand and monitor. Below, we’ll dive more deeply into the findings, addressing impact, key considerations, and specific KCRIs that organizations can consider in each area. The example KCRIs are drawn from two sources: Those shown in plain text were included in AuditBoard’s 2023 Organizational Culture and Ethics Report, and those shown in italics were included in The Institute of Internal Auditors’ (IIA’s) very helpful practice guide, Auditing Culture.
1. Poor Tone at the Top, or Executives Don’t Live Values
Executive behavior is seen as paramount in influencing organizational behavior. It was the top response in our survey, with 68% of internal audit leaders identifying “poor tone at the top/executives don’t live values” as a top-five culture risk indicator. Further, when asked to identify the top three entities that influence culture, 76% of respondents identified “CEO and/or founders,” 65% “line management,” and 60% “Non-CEO C-Suite members.”
“Tone at the top” is how C-suite executives and the board behave, encompassing actions, words, and deeds. It plays a central role in setting the tone for the entire organization. If leaders aren’t “walking the talk” by modeling and advocating appropriate behaviors, values, and priorities, the organization opens itself to a range of critical risks, including lost trust and confidence in leadership, loss of reputation, increased fraud risk, reduced employee well-being, and so much more. One only has to look as far back as recent headlines for startling cautionary tales such as FTX and Theranos.
The tone at the top should reflect a clearly defined purpose and set of organizational values, helping to establish a culture and work environment in which ethical behavior is valued and people feel engaged, respected, and empowered to do their best work. Accordingly, example KCRIs in this area look for behaviors that signal the opposite, such as:
- “Building and cultivating a healthy culture is not prioritized by executive management or the board.”
- “Executives don’t exhibit ethical or core values.”
- “Executives lack expertise and skills and/or are disengaged.”
- “Executives don’t effectively define, communicate, and reinforce core values, employee expectations, strategy, important messages, etc.”
- “Board members do not proactively and consistently monitor and discuss organizational culture issues.”
- “Employees report that they do not feel respected, trusted, or valued by management; are not empowered to make decisions; do not find a sense of meaning or purpose in their work; and/or are subject to unachievable goals and unreasonable expectations (e.g., deadlines, productivity, efficiency, profitability).”
- “Management is taking excessive risks that negatively impact culture, key stakeholders, or the organization’s longevity.”
- “Unreasonable expectations, including deadlines, profitability, or levels of efficiency.” (IIA)
2. “Profit at Any Cost” Mentality
A profit-at-any-cost mentality — which values financial returns above all else, following the thinking that the ends justify the means — was the second-ranking choice of internal audit leaders surveyed, with 51% identifying it as a top-five risk indicator.
Having a purpose over profits is a vital guiding principle for any healthy organizational culture. Of course, with capitalism, the drive for profits is not going anywhere. There will always be a degree of inherent culture risk for organizations under pressure to meet financial targets, and this understanding should inform our approach to auditing culture and assessing its risks.
Beyond staying mindful of the fraud risk that emerges at the confluence of motivation, opportunity, and rationalization (in this instance, a profit-at-any-cost mentality), internal auditors can set and monitor example KCRIs such as:
- “Management makes short-term decisions driven by financial goals that cause harm to others, are considered unethical or illegal, and/or are not in the best long-term interests of the organization or stakeholders.”
- “[Employees] are subject to unachievable goals and unreasonable expectations (e.g., deadlines, productivity, efficiency, profitability).” (Also mentioned in No. 1.)
- “Questions to ask…
- “Are compensation plans and perks competitive? Do they drive or encourage unethical behavior?”
- “Are work hours excessive? Do employees have reasonable work-life balance? Are there excessive errors, disengagements, or cases of burnout and attrition?”
- “Do expectations to meet deadlines or complete work result in undue pressure and poor quality?”
- “Incentives not aligned with values.” (IIA)
3. Unethical or Illegal Conduct Without Accountability
“Unethical/illegal conduct without accountability,” selected as a top-five risk indicator by 46% of internal audit leaders, tied for the third-highest-ranking KCRI in our survey. While behaviors will look different from organization to organization, common threads include a general climate of defensiveness, blaming others, and different people held to different standards.
As with the profit-at-any-cost mentality, the presence of this risk indicator suggests that executives and/or employees are not demonstrating the values of a healthy culture. Healthy culture guiding principles recognize and reward ethical behavior while holding both leaders and employees accountable for any unethical behavior. Example KCRIs in this area may include:
- “Conflicts of interest negatively impact the workplace and health of the culture (e.g., at the board, management, or employee level).”
- “There is no conflict of interest policy.”
- “Questions to ask… Is ethical behavior recognized or rewarded? Is unethical behavior properly addressed?
- “Lack of accountability, especially at senior levels of the organization.” (IIA)
- “Failure to enforce codes of conduct and related policies and procedures.” (IIA)
- “Disregard of laws and regulations if they are not conducive to the organization achieving its objectives.” (IIA)
4. Poor Communication
“Poor communication (top-down, bottom-up, cross-functional)” also came in third in our survey, selected as a top-five risk indicator by 46% of internal audit leaders. In this context, poor communication includes not only how an organization formally communicates its purpose, values, and desired behaviors, but also how stakeholders at all levels informally share information, insights, and feedback up, down, and across the organization.
Communication is an essential enabler for creating alignment to an organization’s vision, purpose, and goals. In our survey, 75% of internal audit leaders identified “communication (effectiveness/frequency)” as one of the five most important drivers of organizational culture. When communication is lacking, inadequate, or even discouraged, it has a significant impact on employee engagement, empowerment, and well-being — a key risk for any organization seeking to attract and retain high-quality talent, drive innovation and competitive advantage, and drive better business performance. Example KCRIs in this area may include:
- “Speaking up is uncommon and is not encouraged or supported.” For example:
- “Employees are not comfortable speaking up.”
- “Employees who raise issues don’t feel that their anonymity is protected or that issues are taken seriously and are addressed. In addition, they may face retaliation.”
- “The organization does not have a robust infrastructure to ensure that issues raised are properly investigated and resolved in a timely manner (e.g., ownership for investigations has not been assigned and there is no hotline or code of conduct, ethics and compliance resources and policies are inadequate, there is a lack of monitoring, or issues are not escalated to the appropriate levels of management or the board).”
- “Management and/or the board are not open to “bad news” or dissent, and refuse to take timely, ethical, and transparent action based on credible information that indicates a decline in performance or contradicts their preferred strategy, decisions, or opinions. There is a lack of flexibility in changing course when necessary.”
- “An inflexible hierarchy impeding the flow of information up, down, and across the organization.” (IIA)
5. Lack of Transparency
Rounding out our list of the five KCRIs you can’t afford to ignore, 35% of the internal audit leaders we surveyed identified “lack of transparency” as a top-five risk indicator. Where transparency is in short supply, there is often something to hide.
Healthy cultures value, encourage, and support open, transparent, and honest communication. The more transparent communications are, the more stakeholders at all levels feel valued, trusted, empowered, and connected to the purpose — and success — of their organizations.
KCRIs to look for in this area may include:
- “There is a level of secrecy and lack of transparency that lead to toxic cultures and culture silos.”
- “Employees’ (including internal auditors’) lack of knowledge about key risk management activities and potential risk impacts.” (IIA)
- “A pervasive environment of mistrust toward auditors and regulators, including a lack of understanding of the role of controls in achieving business objectives.” (IIA)
Culture Assessment Can Begin Today
No organization is immune from culture failure. In fact, if you hear your C-suite or board express that culture failure could “never” happen in your organization, that constitutes another KCRI — one indicating an unhealthy attitude of hubris, and an underestimation of culture’s link to strategic business risks.
Fortunately, it is within your power to get started today. Considering culture in individual conclusions or findings is a good place to begin, as the root causes of audit findings are often aspects of culture. When controls fail, risks aren’t managed, and regulations or laws are violated, internal auditors should ask themselves: Is culture a fundamental root cause? From there, internal auditors can work toward advancing culture assessment maturity by including individual culture audits within service lines, business units, or geographies, and proceeding to creating capstone or trending reports that bring together multiple inputs. Ultimately, it’s important to also incorporate a top-down, holistic approach that includes an enterprise-wide culture assessment. If you think of ERM and strategy, how long would you assess only small aspects before taking a more holistic approach?
To fulfill their mission and follow the risks, internal auditors must stop waiting to be asked when it comes to culture. Instead, understand the urgency of assessing culture — and your role in helping your organization take decisive steps forward to begin advancing culture assessment maturity. Many of our profession’s greatest triumphs have involved internal auditors taking the initiative to speak out. As I wrote in my book Trusted Advisors: Key Attributes of Outstanding Internal Auditors, “The most effective internal auditors are those with enough fortitude to blow the whistle before trouble ensues. They see troubling issues in the formation stage, raise a concern, and take a stand to ensure things are done right.” Culture is a critical risk in every organization’s risk universe, and it’s time we all work collaboratively with our organizations to recognize it as such.