Auditing culture and behavior

The fundamental idea behind cultural risk is that, on paper, things may appear to be fine, but, in practice, reality is not the same.

Regulators and internal audit have started to recognize the importance of the culture when it comes to the effective management of risk and maintaining ethical conduct. This was caused – in a large part – by the recognition that many aspects of the financial crisis of 2007-2008 were caused by short-comings in the “bonus culture”, and underestimation of the impact of behaviour on risk and compliance matters.

The importance of culture and conduct in relation to internal audit has been recognized in many countries. In my own (the UK), a code of practice for internal audit in financial services proposed that IA functions look at culture, and, since January 2020, the IIA UK Code of practice for Internal Audit now says this should be an area for internal audit consideration in all sectors, not just financial services: 

Internal Audit Code of Practice Guidance on effective internal audit in the private and third sectors

What is culture, sub-culture and behavior

The fundamental idea behind cultural risk is that, on paper, things may appear to be fine, but, in practice, reality is not the same. In theory bankers were supposed to sell ethically, but in practice some were selfish and pushed products onto customers that they didn’t really need and couldn’t afford, and in turn created more long-term risk.

At a more basic level, thinking about behavior/culture for internal audit activities: 

• You request information to start an audit and the information comes late, or is incomplete;
• You organize a meeting as part of assignment fieldwork and its cancelled, or cut short;
• You are hoping to agree an audit report and find you are arguing over every word, and also pushed to justify your assignment grading;
• You have agreed actions and then find the manager concerned wants an extension to the deadline that was set (COVID19 may be another argument to seek delays).

And these behavioural factors also apply within and between other departments on a day to day basis in any organization; some departments work co-operatively together, where we might say “their culture is collaborative and healthy”, whereas “other departments operate in silos”. These examples illustrate one of the most famous definitions for culture: “Culture is the way we do things around here.”

To be more precise, individuals in an organization behave in particular ways. The aggregate of their behavior creates a “sub-culture” in a specific country, or department. For example, Norway has certain cultural norms, but these may be different, to some extent, from colleagues working in the UK, or Germany, and very different to colleagues working in Mexico or China. Good models for understanding culture at an international level include:

• The High/Low context framework, by Edward Hall;
• Cultural dimensions, by Prof Geert Hofstede;
• Seven dimension of culture, by Fons Trompenaars and Charles Hampden Turner;
• The model in “when cultures collide” by Richard Lewis.

In addition to national considerations, cultural differences arise because the people in different departments are recruited from different backgrounds, given different tasks and rewarded and managed in different ways. You can’t expect the cultural norms of the PR department (e.g. creativity) to be the same as the cultural norms of Internal audit (e.g. focus on facts and data). However, if you can find similarities in the culture between different areas (e.g. “teamworking”), then we might say that is a common cultural factor across the organization.

Real vs. espoused culture

Note that cultural norms and expectations may be proposed by senior management and HR, and communicated on the intranet, discussed at workshops and shown on posters, but that is what is called the “espoused” (official) culture.

The true culture of an organization is about the actual way we do things round here.

Academics Johnsen & Scholes

Academics Johnson & Scholes created a model for understanding culture, explaining it encompasses routines and rituals, which may in turn be linked to myths and stories, which may in turn be linked to leadership, heroes and villains etc. It’s important to understand that there are many ways of “slicing” culture, which can include international considerations (see Eric Hofstede), as well as the implicit mindsets people have about organizations (see Gareth Morgan in “Images of Organization”).

So, this leads to crucial point: behavior and culture cannot be pinned down by any specific model (no matter what anyone tells you, especially if they are trying to sell you their model!). Furthermore, behavior and culture are themselves caused by other factors. I can’t stress this point enough: you can’t properly explain poor cross-functional working by saying “there is a silo culture” that’s just a restatement of the problem! You have to start to ask WHY is there a silo culture? And saying, as some do, “the silo culture is due to a poor tone at the top” doesn’t really get hold of what’s going on either, because the question again comes: why is there a poor tone at the top?!!  Likewise, if a manager is not dealing with the audit process in a constructive way this is NOT explained by saying there is bad culture or poor tone at the top: it’s just a restatement that there is a problem. Such general explanations are actually examples’ of what are called “organizational defense routines” (see Chris Argyris), which effectively talk around an issue, but avoid pinpointing it specifically to protect the organization from embarrassment. Thus, there is an important interplay between culture and organizational politics, but this is something that many try to avoid discussing.

So, as you dig into this subject more deeply, you will discover that culture and behavior result from a range of psychological, sociological and systemic factors. That’s a big statement, but it’s vital to see this, so you don’t fool yourself that after looking at a culture survey, or reading an article, that you fully understand behaviour and culture. So, returning to the earlier examples about behaviours during internal audits, some of the behavioural reasons why departments resist audits, and dislike any negative conclusions may include: 

• The psychological tendency to justify what you have already done (L Festinger: Self-justification and Cognitive dissonance);
• The feeling that “everyone else is doing it” (S Asch: Conformity) or that “My boss doesn’t really care about this, so why should I?” (S Milgram: Obedience to authority);
• The fact that there is no target, or measure, or reward for doing the right thing, and/or no consequences if I don’t do something (these are some examples of systemic factors: see the elements of the Burke Litwin model in the diagram below). 

Busting two common myths about culture

Two final fundamental points when thinking about culture/behaviour: first they are NOT “soft” or “intangible”, as many say. You are not dreaming when someone cancels a meeting; nor when they argue over your ratings; this is real behavior and you experience it. What is more “intangible” is the aggregation of these behaviors. This means it’s always better to deal with these issues at a practical, specific level (behavior and sub-cultures) than to talk and think too much at the aggregate level (e.g. the overall culture).

Secondly, as you will know, but it merits repeating: Behavior and culture are dynamic phenomena. Things can be moving in a good direction and then there is a change, or perhaps a sudden shock, and the behavior/culture in an organization can change completely. This can be due to getting extra pressure to meet sales targets from your boss, or a change of boss, or something external such as COVID19. In many organizations’, perhaps your own, the culture may have changed drastically as a result of COVID19 (just think about the impact of working remotely). This is important to remember, because it means internal auditors need to be wary of thinking, or asserting: “we have a good culture, nothing bad is likely to happen.”

This means if you are asked to provide assurance on cultural/behavioural issues there may be significant issues with the length of time these assurances will last. The control culture may be good one day, but all you need is (say) a lot more remote working (with less checks carried out) plus cost pressures, and previous good practices will “fly out of the window” (unless your organization makes special efforts to counter this).

IIA standards to the rescue

So, what is a proper role for internal audit in relation to the soft stuff? Let’s look at relevant IIA standards (2017 International Professional Practices Framework (IPPF)):

1. Internal audit functions should do risk- based audit plans (IPPF 2010) – so that means we need to be clear:

A) What behavioural/cultural issues might, in aggregate, or in specific areas, generate an important risk for the organization? And/or,

B) In relation to the management of a specific key risk, what behavioural/cultural factors could undermine the way that risk is managed?

2. Internal audit should add value to the organization, and offer insight (IPPF 2000, 2010) and co-ordinate, and consider relying on others (IPPF 2050) – so that means we need to understand what known/not known concerning behavioural and cultural issues, before we start doing any audit work on culture. There is no point telling management/HR about a cultural problem they already know they have got, and (perhaps) are working on!

3. Finally, we need clear, robust, criteria for any assignment (IPPF 2210), against which we can judge any behavioural or cultural risks. Anyone can say, “we don’t have as good co-operation between finance and marketing as we would like”, but then we might get the counter-argument, “yes, co-operation could be better in some areas, but there are good practices and it’s getting better”.

Of course, there are IIA standards around IA proficiency and evidence gathering that must also be followed as well.

So, in practice what do I do about behavioural and cultural risks?

My first piece of advice is that in order to operate effectively in this arena, the first thing you need to do is make sure any audit staff who are going to be involved in this area properly understand what they are talking about in terms of behavior, sub-culture and culture, the difference between espoused and actual culture, and the fact that there are many models for culture, none of which are definitive.

The next step is that you need to learn to “see” the behaviours/culture in your organization. Recently, at a webinar for auditors from the Netherlands, one auditor explained how his organizational culture was really good, because people tried really hard to work in teams. I agreed that this team working culture may have good dimensions, but asked the auditor to consider that there might be a negative aspect (“a shadow”) to the team culture which might make it harder to challenge others and raise concerns (and on reflection the auditor realized this was the case, but felt it was hard to discuss this openly).

Other practical ideas, to deepen your understanding of culture and the risks that may be hiding are as follows. Concerning the measurement and improvement of the “official culture”:

• What is the link between espoused norms and behaviours and employee survey areas?  
• What questions are not asked in employee surveys – for example concerning aspects of the risk and control mindset of the organization? Remember that some culture surveys may be crafted in a way that matches senior management expectations and interests and may therefore omit important issues.
• What analysis is done of culture survey results, for example;
  • How does the organization address the fact that survey results may be on a range, with an average more or less content but others with (perhaps) serious concerns?
  • How does the organization deal with employees who do not respond to surveys? Is it assumed that their feedback would be the same as everyone else’s? If so, what is the basis for this?  (It could be that employees who do not reply are either over-worked (so feel they don’t have the time to complete a survey), or believe the survey process is something of a “theatre” where nothing will really change.
• How are conclusions drawn from the survey results and how are any actions proposed, prioritized and actions tracked? There may be alternative perspectives on what survey results actually mean (e.g. implicit criticism of strategic choices, but interpreted as a lack of understanding on the part of employees) and there may be a vagueness in the actions to be taken (e.g. run workshops, without much concern for the actual outcomes).
• Also, take a long hard look at the following:
• Issues, incidents and near miss information – what have been the explanations of why these issues arose?
• Regulatory or other external inspection surprises – how much did we expect these problems, or were we surprised and if so why? (Note blaming specific people, contractors or external events is not a healthy sign – see the Just Culture framework).
• Other Risk management surprises – such as projects that have been delayed, or gone over budget?
• Internal audit results over (say) the past 1-2 years – are there any themes or patterns suggesting the same or similar things are going wrong? Also, what work has been done to understand the key root causes of these issues? 
• What management behaviours do we encounter when we do our internal audits? How many of these behaviours are healthy and how many cause us concern? Have we kept a record of these behaviours for each audit and are we clear in tangible terms who we are most/least happy with and why? (see attached table).

Once you have pulled together as many of the “the pieces of the jigsaw” that you can, the audit team can start to think about: i) gaps in knowledge and understanding that need to be better understood (e.g. progress on certain HR initiatives, or by doing more root cause analysis work) and in addition ii) the cultural/behavioural issues that may create the biggest risks?

Other practical steps you can take

Based on an analysis of the areas that may pose the biggest risk from a behavioural/cultural perspective, here are some of the steps other audit teams have taken:

• On the understanding that a smooth audit process reflects a better control culture: agree within what timescales an audit assignment should work to (e.g. 15 days to provide information in full at the beginning of an assignment etc.) and then to report outliers. (Some IA teams even provide a “management controls awareness” rating according to a pre-defined framework).
• On the basis that openness about risks is important: to highlight that major risks or unreported incidents not previously identified by management will lead to a lower audit rating;
• If there is a risk that that audit ratings may not be currently sending the right message, to revisit the audit ratings process; make it tougher to get the highest audit rating:

• If similar issues seem to be reoccurring, to strengthen the audit methodology for root cause analysis and the thematic reporting of causes: E.g. “Weaknesses were due to: Poor risk identification, caused by insufficient training of staff concerned (which was not tracked and followed up), as well as insufficient supervision, which in turn was due to confusion whose role it was to supervise this area.” This is a course we can run as a webinar if there is an interest.

At all times, when working with culture and behaviour don’t forget the importance of focusing on something that matters and don’t forget the criteria and consequences (otherwise you’ll get a “so what?” reaction). Most of all, recognize that to be effective in this arena you need to take one step at a time and to recognize that whilst this is one of the “final frontiers” that audit needs to work in, it is also an area with political sensitivities that must be thought about in advance, otherwise you could find yourself “locked out” of this critically important, and extremely interesting, area for internal audit to work in.

James C Paterson, October 2020

For a number of years, I have been running the IIA UK training on auditing culture, I also helped write the IIA UK guidance on auditing culture. I’m a finance professional, but did a masters’ degree in management (focusing on organizational behavior). I then left finance to work in HR (in leadership development and managing culture change). Then I became a head of internal audit for AstraZeneca for 7 years, and since 2010, I have been combining my passion for people and the soft stuff with my love of internal audit, doing training and webinars across Europe, with a number for the IIA Norway in 2020 and more planned in 2021. This could include another webinar on auditing culture for IIA Norway if there is interest.

James runs training (face to face and webinars) for 14 of the IIA organizations in Europe, including the IIA Norway. He is the author of “Lean auditing”, which looks at how lean and agile ways of working can drive progressive ways of auditing, improving added value and quality.

See www.RiskAI.co.uk for more articles and information.