Let me share 2-3 myths about culture and 2-3 of the fundamentals for internal audit teams.
If this topic interests you, come along to the virtual course to examine it further.
Myth 1: The culture of your organization can be captured by employee surveys
This is incorrect for many reasons, including
i) surveys collect opinions about culture etc. which may not always be correct
ii) some staff do not reply to surveys
iii) the way most people look at surveys is to consider the average result and not the extremes
iv) surveys can be out-dated very quickly (think what happened when Covid-19 came along).
This last point is vital to understand because you might be tempted to give assurance over the culture of an area, but are you clear how long this assurance will last? And what you are saying will be OK? Unfortunately, many auditors underestimate the complexity of «reasonable assurance» in relation to culture.
Myth 2: Culture is soft and intangible and cannot be examined by internal audit
This is incorrect. If someone delays getting you information to start an audit assignment, this is not a dream, it is actual behaviour. If this is the second time you have found the same problems with delayed projects, this is real. If this is the third time someone has asked for extra time to complete an audit, its real behavior may represent a cultural trait. In broad terms, culture can be seen to be a causal factor in many GRC issues and is increasingly being talked about and looked at by regulators. There is a specific requirement for internal audit in the UK to look at culture.
For projects, cultural challenges can include:
a) unclear roles between the project, business, and external consultants
b) over-ambitious benefits and inaccurate cost forecasts
c) underestimating trade-off risks between (say) time and cost and benefits realization.
Myth 3: If I follow a framework provided by a consultant, auditing culture will be easy
Of course, consultants will quote success stories where companies have used their culture frameworks with success. But in my role, I hear of high costs and difficulties. Specifically, if your audit approach «fits in» with the culture of your organization and what stakeholders want, you may be appreciated; but if you start challenging «sacred cows» you may find you experience political pressure and/or delays in making robust progress overtime. For example, the HR function may challenge IA/consultant priorities for action compared to their priorities.
To do a solid job around culture, here are some of the fundamentals you need to be aware of:
Basic step 1: Understand the various definitions around culture/risk culture, sub-culture and behaviour
I see a lot of simplistic and/or loose language around culture. So, if you want to work on culture, you need to understand key terms and the differences between them. Ultimately you need to understand what drives behaviour and sub-culture (like today’s weather) vs. the more general culture (like the climate). You also need to understand the difference between the «espoused culture/values» (on posters, in codes of conduct, and measured by staff surveys), and the authentic culture/sub-culture, which causes difficulties between departments (and within projects) and/or creates stress for employees and leads to them taking short-cuts.
Basic step 2: Understand key models around culture before the risk and assurance consultants got involved and the methodological challenges in interpreting results
Consultants will often explain their model is a tool you should use, and they will quote success stories, and you will want to trust them. But you need to understand the choices and limitations of the questions asked and the proposed approach to be taken. In other words, you need to select a model “with your eyes open”; otherwise, certain blind spots will not be so clear to you, often leading to problems later on. Culture models to look at include:
- Edward Hall’s High/Low context
- Hostede’s 6 dimensions
- Gareth Morgan’s “Images of Organisation”
- The Graves model of cultural differences concerning leadership
- The Johnson & Scholes cultural web
Methodological considerations need to address points i)-iv) discussed in myth 1, plus several other areas as well (including how to manage “group dynamics” in workshops).
Basic step 3: Step up your approach to Root cause analysis with a robust methodology for doing this and start gathering behavioural data as you carry-out audits
You can’t do an excellent job on culture unless you understand, in detail, key behavioural issues in your organization and the causal factors for what you are finding. Through understanding causal factors and themes, you can start to prioritize, focus, and tailor the work you do on culture.
I hope this article has been helpful and to see a few more of you at the virtual classroom: Auditing Culture.
James C Paterson
James has a master’s degree in management, focussing on organisational behaviour. He was head of global leadership development programmes for AstraZeneca PLC and Chief Audit Executive from 2002-2009. He has worked as a consultant in audit, risk and assurance since 2010 and helped write the IIA UK guidance on auditing culture in 2013. James is the author of Lean auditing (looking at lean and agile ways of working)
James runs training on auditing culture, root cause analysis and politics for internal audit for more than 12 of the IIA organisations in Europe.