Auditing Culture – A New Perspective

Let’s be honest – most readers are probably bored stiff with my constant appeals for internal auditors to focus more on organizational culture. And I get it. It’s easy to dismiss as yet another item on an ever-growing list of things we “should” be doing. But here’s the reality: internal audit’s role in auditing culture isn’t just a buzzword or my personal crusade. It’s a key expectation of the internal audit profession. The new IIA UK Code of Practice explicitly states that we must engage with organizational culture. So the question isn’t whether we should audit culture—it’s how do we do it effectively?

The Cultural Challenge

Behavioral scientists have been researching workplace behavior for decades, producing vast amounts of information on what motivates human behavior. We know a great deal about what makes people tick. Yet, when it comes to translating that knowledge into actionable insights for audit functions, most internal auditors struggle to gain traction with the subject.

Some functions have gone so far as to create specialized teams, staffed with behavioral scientists, to help audit culture. Others have chosen to express opinions on the culture of their organizations in their reports. While these are positive steps, the unfortunate reality is that many audit teams have abandoned the idea that thecould look at culture through a risk-based lens. But it’s precisely this risk-based approach that should guide how we audit culture.

Why Do We Struggle?

There are several reasons why internal audit functions have found auditing culture difficult. First, culture is often seen as intangible, something that cannot be easily measured or audited. Second, there’s often a disconnect between what we know about human behavior from a scientific perspective and how it can be applied in a business context, particularly in an audit.

But there’s a way to bridge that gap and approach auditing culture in a way that fits our risk-based traditions. And that’s by looking at culture through a behavioral risk management lens.

A Risk-Based Approach to Auditing Culture

So, what do I mean by “behavioral risk management”? In essence, it’s the idea that we can view culture as a series of risks—specifically, the risks of inappropriate behavior in relation to an organization’s strategic objectives, values, and purpose. The key to successfully auditing culture is to focus on identifying and managing these behavioral risks.

What Should We Look For?

The first step is to understand what a behavioral risk management framework looks like. This framework is designed to identify the behavioral risks that could impact the organization’s goals and objectives. It helps us pinpoint specific actions or behaviors that could either align with or undermine those goals.

For example, consider how hiring practices, training programs, internal messaging (the “tone from the top”), and incentives all play a role in influencing employee behavior. These activities can either promote positive behaviors that align with the organization’s values or create opportunities for negative behaviors to take root.

Culture Controls: Design and Effectiveness

Once we’ve identified the activities that influence behavior, the next step is to treat them as controls. Yes, you heard that right: hiring, training, and incentivizing employees are all activities that can be seen as controls. These controls are designed to shape the way people behave within the organization. As with any control, our role as auditors is to assess both the design and the operating effectiveness of these controls.

Assessing the Design

Assessing the design of these controls involves looking at how these activities are structured to promote the right behaviors. For example, does the training program reinforce the organization’s values and expected behaviors? Does the incentive structure reward the kinds of behavior that the organization wants to see, or does it inadvertently encourage cutting corners or unethical behavior?

#### Operating Effectiveness

After assessing the design, the next step is to evaluate whether these controls are operating effectively in reality. This is where the audit can really get interesting. The operating effectiveness work could include deep dives into understanding why people behave the way they do. This involves talking to employees, observing behaviors, and using data analytics to identify patterns of behavior that might not align with the organization’s stated values. However, this is advanced work, and audit teams might need specialized skills or external support to do this well. Rome wasn’t build in a day!

Tactical Plans for Auditing Culture

If you’re reading this and wondering how to get started, let me suggest a tactical plan. The key is to begin by flexing the way we audit traditional controls, incorporating behavioral risk into the mix. For example, instead of just looking at whether financial controls are in place, we could also ask whether the behaviors encouraged by those controls align with the organization’s cultural goals.

From there, you can gradually build out your audit approach to include more comprehensive assessments of behavioral risks and the activities designed to mitigate them. Over time, this will help you develop a more holistic view of how culture impacts the organization’s risk profile and its ability to achieve its strategic objectives.

Want to Know More?

If this approach resonates with you and you’d like to dive deeper, I encourage you to explore Risk Audit’s Audit of Culture course on Tuesday 19^th November 2024 . It provides a more detailed look at how to audit culture using a risk-based approach, complete with real-world examples, case studies, and practical tools you can apply in your audit function.

Additionally, if you’re looking for more tailored guidance, we offer consulting services to help audit teams develop and implement their own frameworks for auditing culture. Whether you’re just starting out or looking to refine your existing approach, our team can work with you to ensure that you’re not only meeting minimum requirements but also adding value to your organization through a robust audit of culture.

Conclusion

Auditing culture doesn’t have to be an intangible or overwhelming task. By viewing culture through a behavioral risk management lens, we can approach it in a way that stays true to our risk-based traditions while addressing the real and significant impact that culture has on organizational success.

As internal auditors, we have a responsibility to go beyond the surface and look at the deeper drivers of behavior within the organization. By doing so, we not only fulfill our obligations under the new IIA UK Code of Practice but also provide valuable insights that can help our organizations build stronger, more resilient cultures.

So, no more excuses. Let’s get started on auditing culture in a way that adds value, mitigates risk, and supports the strategic objectives of the organizations we serve.