How to Audit Corporate Culture
Justin Gwin, Risk Advisory Services Manager, Kaufman Rossin
Many recent high-profile scandals, such as those at Toshiba, Volkswagen, FIFA, and Wells Fargo, have shown the adverse effect of having a poor corporate culture.
Toshiba’s $1.2 billion profit inflation scandal, which occurred over seven years and came to light last summer, was called “the most damaging event for the brand in the company’s 140-year history” by the outgoing CEO. The Independent Investigation Committee concluded that “there existed a corporate culture at Toshiba where it was impossible to go against the boss’ will.” In less than six months from the initial announcement, the scandal had wiped roughly $8 billion off Toshiba’s market value.
At Wells Fargo, the former CEO acknowledged that he helped create a culture that led to sales practice abuse at the bank. He said he had been aware of the systemic problem for over four years before his resignation in October 2016. After agreeing to give up $41 million of pay, an independent board committee deemed it necessary to clawback an additional $28 million from the former CEO.
Another senior executive was also forced to forfeit $47 million of compensation on top of $19 million already forgone. The result was the largest clawback of pay in financial services history and significant damage to the company’s reputation.
A job for internal audit
If the lessons at Toshiba and Wells Fargo have taught us anything, it’s that the existence of an inappropriate culture can be dangerous to an organization and its employees. The values, policies, attitudes and behaviors set out by management require proper monitoring. Due to the nature of its activities and detailed insight of operations across the entire organization, the internal audit team is often uniquely positioned to assess corporate culture and governance.
The profession still has some work to do to tackle the issue of corporate culture, however. According to a 2016 study by the Institute of Internal Auditors, 58 percent of internal audit departments do not audit culture. The study did not expand upon the reason for not auditing culture.
It is a unique, difficult and sensitive area. Culture does not easily lend itself to hard proof that auditors normally gather through traditional control testing. Some internal auditors may lack the experience or skill sets necessary to conduct such an assessment. But this does not preclude culture from being subject to an audit. The communication and soft skills sets needed can be obtained through proper career development, training, and experience.
Many aspects need to be considered when auditing culture, such as governance practices, corporate ethics and responsibility, leadership styles, policies and procedures, training, incentives, employee/customer/vendor feedback, communication practices, turnover, etc. The audit should also be tailored based on the organization’s environment, structure and industry.
6-step approach to assess culture
So how should internal auditors approach such a significant undertaking of auditing culture? Testing for the mere existence of a code of ethics, mission statements or defined values is simply not enough.
Following are six steps that can help you get started.
1. Secure support from appropriate stakeholders
The CEO, board and audit committee should welcome an assessment of culture that may improve the organization as a whole, and their approval and cooperation can aid in the effectiveness of the audit. Unfortunately, this may not always be the case, and strong resistance may be further indication of cultural red flags. The chief audit executive will need to have an open dialogue with the appropriate stakeholders to express the purpose and value of such an audit in effort to gain support.
2. Perform root cause analysis on audit findings
Analyze findings from current and prior-year audits, and determine whether there is an underlying cultural behavior that caused the issue.
It’s important for auditors to identify not just what happened in terms of compliance with expectations, but also why things happened. A breakdown in procedures and controls identified during an audit of any area could be due to lack of communication or lack of training. Further investigation could reveal an autocratic leader who doesn’t share information or that development and training for employees is not truly valued. Any finding that may give an indication of a poor culture should be tracked and summarized to aid in the assessment.
3. Evaluate aspects of culture assessment in each engagement
According to a study conducted by the UK Chartered Institute of Internal Auditors, observation and interviews are the most common method used to assess culture.
During each engagement, the auditors can directly observe and document behaviors, communication practices, leadership styles, etc. The audit team will already be working closely with employees and should be able to obtain direct feedback on culture within their respective areas. Specific cultural traits can be tracked in consecutive audits to help identify trends and patterns.
Any cultural red flags that may appear during an engagement should be documented, such as:
- Lack of response to initial documentation requests
- Slow or no response to follow-up questions
- Management not reacting to issues brought up during the audit
- Management punishing the team for reportable issues or tying compensation to audit results
- Excessive risk acceptance
- Findings are often repeat issues that were never addressed
Auditors should be mindful that subcultures across larger organizations may exist across different locations or departments, and especially if there have been acquisitions. Pockets of toxic culture can be detrimental to the organization as a whole.
4. Distribute questionnaires and surveys
In addition to interviews and observation, questionnaires and surveys can be very useful tools to gather a large amount of measurable feedback from a diverse group.
They should be constructed in a way that provides usable evidence for internal audit about culture and how it operates. Consider correlations between employee engagement levels and audit findings. Questions can be developed with management and the board to determine any specific feedback they would like to have.
5. Examine existing data and metrics
Human resources and compliance departments may already be tracking some relevant information that may indicate cultural issues or solidify other observations. HR should be able to provide turnover rates by department/location, results of exit interviews, employee complaints, etc. Auditors can also gather information from whistleblower hotlines, social media, or customer and vendor feedback.
6. Examine HR practices and incentives
Financial and non-financial incentive programs may exist that do not support the core values of an organization and, in some cases,may be extremely harmful. Internal auditors should examine whether compensation and performance metrics are aligned with the organization’s policies and values. Performance and talent management should encourage and reinforce desired behaviors.
Many successful organizations attribute their superior performance and accomplishments to their organization’s culture. As Toshiba and Wells Fargo have shown, a poor culture can cause tremendous damage to company reputation, profits, and its employees. It is incumbent upon the board to seek assurance that the appropriate culture is being displayed throughout the organization by directing their internal audit team to take a deeper look at culture.
About the Author
Justin Gwin, CIA, CPA, CISA, CRMA, CRISC, is a risk advisory services manager at Kaufman Rossin where he provides internal controls consulting and internal audit for businesses in a variety of industries. Justin also serves as president of the Institute of Internal Auditors (IIA) Miami chapter. He can be reached at jgwin@kaufmanrossin.com.