Institute of Internal Auditors latest pulse brief has been subtitled "Time to move out of the comfort zone" and after a peruse of the document, it is aptly titled. This is a refreshing read for auditors in 2016 might I add and the document has been based on information the IIA has captured.
The publication has a key focus on auditing cyber security which is to be expected as cyber risk is a real risk management trend at the moment. Interestingly there is also a strong overlay of "organizational culture, relationships matter ... valuing interpersonal skills" and how companies are auditing this.
2016 North American Pulse | IIA [LINK]
Only 50% or so on a good day, about half of all auditors that report to the CEO audit culture. From the outset I would say wow, that score isn't too high but then if one ponders on this further ... auditing culture is not very straightforward to do and worse, doing so is a political social space littered with career limiting landmines.
Here is another thought. Is organisational or risk culture important? If it isn't significant to the health of a company, then auditing it is going to yield little. The IIA believes otherwise:
"The common factor at the root of every corporate scandal from Enron to FIFA to Toshiba seems to be a culture that contributed to or condoned behaviour leading to disastrous results."
Auditing organisational cultural relationships matters | IIA
The second obvious concern among auditors and certainly those that "administratively report to the CEO" would be that If the tone at the top sets institutional culture, it would follow that the person we all report to is up for an audit as well.
Can organisational culture be audited?
Putting all politics aside, can culture truly be audited in a credible way?
Auditing control effectiveness or operation or policy outcome is one thing, relatively straight forward in comparison to culture which is an utterly fuzzy concept. Behaviour that works in one industry sector may not do so well when it is imported elsewhere and culture goes beyond behaviour to swing in colloquial, religious, gender and age related aspects that border on discrimination when probed. So auditing culture is to tamper with something that is amorphous and potentially leads the audit team down a road that might find them breaching their own policy on discrimination.
I have this feeling that auditing culture would be reduced to a tick-box exercise at best and that is detached from risk or control, even the strategic objectives of the company. Don't misunderstand me, I am totally in agreement with the IIA, the common factor for most corporate disasters is probably culture, it nearly always features when catastrophes are investigated but this only becomes apparent in retrospect.
Nonetheless, a tick-box exercise will not be useful for uncovering factors that lead to wrongness (whatever that translates to) when cultural dynamics are generally not potent until a threat presents itself. To put it differently, those employees that tick a 'yes' when assessed are usually part of the 'yes brigade' that cause institutions to fail when things are not right but on a normal day they operate everything smoothly.
I believe auditing culture needs to explore survey data of course but modelling techniques such as discriminant analysis will also need to feature. An auditor is going to have to map intertwining factors that link process, control, behaviour and risk, including the risk appetite for each individual being audited. This will move auditors to an end game if everything goes well including the capture of 'people data' but it won't be successful until an audit framework is mature enough to assess cultural indicators alongside organisational values.