It's time that GRC professionals, regulators and Internal Audit recognised the importance of auditing culture and behaviour - the "soft stuff".
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
For the past six years I have been running the IIA UK training on auditing culture, I also helped write the IIA UK guidance on auditing culture. My background is worth explaining: I’m a finance professional, but did a masters’ degree in management (focusing on organisational behavior). I then left finance to work in HR (in leadership development and managing culture change). Then I became a Head of Internal Audit for AstraZeneca for seven years, and since 2010, I have been combining my passion for people and the soft stuff with my love of Internal Audit, doing training and webinars across Europe and further afield.
I am really happy that GRC professionals, regulators and Internal Audit have started to recognise the importance of the soft stuff when it comes to the effective management of risk and maintaining ethical conduct. This was caused – in a large part – by the recognition that many aspects of the financial crisis of 2007-2008 were caused by short-comings in the “bonus culture”, and underestimation of the latent risks building up. In addition, there were mis-selling scandals highlighting poor conduct in sales, which did not put the customer first.
In the UK, the importance of culture and conduct in relation to Internal Audit was formally recognised in a code of practice for Internal Audit in financial services, published in 2013, which said that Internal Audit should consider, when making audit plans: “the risk and control culture” and “the setting of, and adherence to, risk appetite” amongst other areas. In January 2020, the same points have been included in the IIA UK Code of practice for Internal Audit, applying to all sectors and not just financial services.
So, what is the soft stuff? Being clear about culture, sub-culture and behaviour
The fundamental idea behind the soft stuff is that, on paper, things may appear to be fine, but in practice reality is not the same. In theory bankers were supposed to sell ethically, but in practice some were selfish and pushed products onto customers that they didn’t really need and couldn’t afford, and in turn created more long-term risk.
At a more basic level, thinking about behaviour/culture for internal audit activities:
- You request information to start an audit and the information comes late, or is incomplete.
- You organise a meeting as part of assignment fieldwork and its cancelled, or cut short.
- You are hoping to agree an audit report and find you are arguing over every word, and also pushed to justify your assignment grading.
- You have agreed actions and then find the manager concerned wants an extension to the deadline that was set (imagine how common this might become with Covid-19 as a justification!).
And this “soft stuff” applies within and between other departments on a day to day basis in any organisation; some departments work co-operatively together, where we might say their culture is collaborative and healthy, whereas other departments operate in silos. These examples illustrate one of the most famous definitions for culture: “Culture is the way we do things around here.”
To be more precise, individuals in an organisation behave in particular ways. The aggregate of their behavior creates a “sub-culture” in a specific area or department. For example, there may be a sub-culture specific to selling, and another for the IT department and another for those at the executive level; and one culture in the UK, and another for colleagues working in Japan or India. These differences will arise because the people in each department are recruited from different backgrounds, given different tasks and rewarded and managed in different ways. You can’t expect the cultural norms of the PR department (e.g. creativity) to be the same as the cultural norms of Internal Audit (e.g. focus on facts and data). However, if you can find similarities in the culture between different areas (e.g. “holding others accountable”), then we might say there is an overall culture in the organisation.
Real versus espoused culture
Note that cultural norms and expectations may be proposed by senior management and HR, and communicated on the intranet, discussed at workshops and shown on posters, but that is what is called the “espoused” culture. The true culture of an organisation is about the actual way we do things round here. Academics Johnson & Scholes created a model for understanding culture, explaining it encompasses routines and rituals, which may in turn be linked to myths and stories, which may in turn be linked to leadership, heroes and villains etc. It’s important to understand that there are many ways of “slicing” culture, which can include international considerations (see Eric Hofstede), as well as the implicit mindsets people have about organisations (see Gareth Morgan in “Images of Organisation”).
So, this leads to crucial point: behaviour and culture cannot be pinned down by any specific model (no matter what anyone tells you). Furthermore, behaviour and culture are themselves caused by other factors. I can’t stress this point enough: you can’t properly explain poor cross-functional working by saying “there is a silo culture” that’s just a restatement of the problem! You have to start to ask WHY is there a silo culture? And saying, as some do, “the silo culture is due to a poor tone at the top” doesn’t really get hold of what’s going on either, because the question again comes: why is there a poor tone at the top?
Likewise, if a manager is not dealing with the audit process in a constructive way this is NOT explained by saying there is bad culture or poor tone at the top: it’s just a restatement that there is a problem. Such general explanations are actually examples’ of “organisational defense routines” (see Chris Argyris), which effectively talk around an issue, but avoid pinpointing it specifically to protect the organisation from embarrassment. Thus, there is an important interplay between culture and organisational politics, but this is something that many try to avoid discussing.
So, as you dig into this subject, you discover that culture and behaviour result from a range of psychological, sociological and systemic factors. That’s a big statement this far into this article, but it’s vital to see that to get a hold of what you are actually dealing with when we talk about the soft stuff. So, returning to Internal Audit, some of the reasons why departments resist internal audit enquiries and negative conclusions may be because of:
- The psychological pressure to justify themselves (L Festinger: Self-justification and Cognitive dissonance)
- The feeling that “everyone else is doing it” (S Asch: Conformity) or that “My boss doesn’t really care about this, so why should I?” (S Milgram: Obedience to authority)
- The fact that there is no target, or measure, or reward for doing the right thing, or no consequences if I don’t do something (these are some examples of systemic factors: see the elements of the Burke Litwin model in the diagram below). Note the inter-relatedness of culture/climate with many other factors.
Busting two common myths about culture
Two final fundamental points when thinking about “the soft stuff” – the soft stuff is NOT intangible, as many say. You are not hallucinating when someone cancels a meeting; nor when they argue over your ratings; this is real behaviour and you experience it. What is more “intangible” is the aggregation of these behaviours. This means it’s always better to deal with the soft stuff at a practical, specific level (behaviour and sub-cultures) than to talk and think too much at the aggregate level (e.g. the overall culture).
Secondly, as you will know, but it bears repeating: behaviour and culture are dynamic phenomena. Things can be moving in a good direction and then there is a change, or perhaps a sudden shock, and the behaviour/culture in an organisation can change completely. This can be due to getting extra pressure to meet sales targets from your boss, or a change of boss, or something external such as Covid-19. In many organisations, perhaps your own, the culture may have changed drastically as a result of Covid-19. This is important to remember, because it means internal auditors need to be wary of thinking, or asserting: “we have a good culture, nothing bad is likely to happen.”
This means if you are asked to provide assurance on soft issues there may be significant issues with the shelf-life of your assurances. The control culture may be good one day, but all you need is a cost-savings programme and job losses and many of those good practices will fly out of the window (unless your organisation makes special efforts to counter this).
Hopefully, so far so good. The soft stuff is real, it gives us a window into aspects of the way organisations work that explain why things can go wrong (as well as why things go right). There is a lot of “motherhood and apple pie” about culture that you need to take with a pinch of salt, mostly because it brings up complex and sensitive factors that can’t easily be talked about.
IIA standards to the rescue
So, what is a proper role for Internal Audit in relation to the soft stuff? Let’s look at relevant IIA standards (2017 International Professional Practices Framework (IPPF)):
- Internal audit functions should do risk- based audit plans (IPPF 2010) – so that means we need to be clear: what behavioural/cultural issues might, in aggregate, or in specific areas, generate an important risk for the organisation? And/or, in relation to the management of a specific key risk, what behavioural/cultural factors could undermine the way that risk is managed?
- Internal Audit should add value to the organsation, and offer insight (IPPF 2000, 2010) and co-ordinate, and consider relying on others (IPPF 2050) – so that means we need to understand what is known/not known concerning behavioural and cultural issues, before we start doing any audit work on culture. There is no point telling management/HR about a cultural problem they already know they have got, and (perhaps) are working on.
- Finally, we need clear, robust, criteria for any assignment (IPPF 2210), against which we can judge any behavioural or cultural risks. Anyone can say, “we don’t have as good co-operation between finance and marketing as we would like”, but then we might get the counter-argument, “yes, co-operation could be better in some areas, but there are good practices and it’s getting better”.
Of course, there are IIA standards around IA proficiency and evidence gathering that must also be followed as well.
So, in practice what do I do about soft issues?
My first piece of advice is that in order to operate effectively in this arena, the first thing you need to do is make sure any audit staff who are going to be involved in this area properly understand what they are talking about in terms of behaviour, sub-culture and culture, the difference between espoused and actual culture, and the fact that there are many models for culture, none of which are definitive.
The next step is to try to “see” the behaviours/culture in your organisation. Of course, official statements about the organisations culture/values are one element of this, but even more so would be the mechanisms to measure and monitor progress towards meeting these expectations.
Specifically, concerning the measurement and improvement of the “official culture”:
- What is the link between espoused norms and behaviours and employee survey areas?
- What questions are not asked in employee surveys – for example concerning aspects of the risk and control mindset of the organisation? Remember that some culture surveys may be crafted in a way that matches senior management expectations and interests and may therefore omit important issues.
- What analysis is done of culture survey results, for example; how does the organisation address the fact that survey results may be on a range, with an average more or less content but others with (perhaps) serious concerns? How does the organisation deal with employees who do not respond to surveys? Is it assumed that their feedback would be the same as everyone else’s? If so, what is the basis for this? (It could be that employees who do not reply are either over-worked (so feel they don’t have the time to complete a survey), or believe the survey process is something of a “theatre” where nothing will really change.
- How are conclusions drawn from the survey results and how are any actions proposed, prioritised and actions tracked? There may be alternative perspectives on what survey results actually mean (e.g. implicit criticism of strategic choices, but interpreted as a lack of understanding on the part of employees) and there may be a vagueness in the actions to be taken (e.g. run workshops, without much concern for the actual outcomes).
Also, take a long hard look at the following:
- Issues, incidents and near miss information – what have been the explanations of why these issues arose?
- Regulatory or other external inspection surprises – how much did we expect these problems, or were we surprised and if so why? (Note: blaming specific people, contractors or external events is not a healthy sign – see the Just Culture framework).
- Other risk management surprises – such as projects that have been delayed, or gone over budget?
- Internal audit results over (say) the past 1-2 years – are there any themes or patterns suggesting the same or similar things are going wrong? Also, what work has been done to understand the key root causes of these issues?
- What management behaviours do we encounter when we do our internal audits? How many of these behaviours are healthy and how many cause us concern? Have we kept a record of these behaviours for each audit and are we clear in tangible terms who we are most/least happy with and why? (see table below).
Once you have pulled together as many of the “the pieces of the jigsaw” that you can, the audit team can start to think about:
- Gaps in knowledge and understanding that need to be better understood (e.g. progress on certain HR initiatives, or by doing more root cause analysis work)
- The cultural/behavioural issues that may create the biggest risks.
Examples of practical steps you can take
Based on an analysis of the areas that may pose the biggest risk from a behavioural/cultural perspective, here are some of the steps other audit teams have taken:
- On the basis that a smooth audit process is symptomatic of a good control culture: to agree with key stakeholders what timescales an audit assignment should work to (e.g. 15 days to provide information in full at the beginning of an assignment etc.) and then to report outliers. (Some IA teams even provide a “management controls awareness” rating according to a pre-defined framework).
- On the basis that openness about risks is critical: to highlight that unrecognised major risks by management will lead to a lower audit rating.
- On the basis that audit ratings may not be currently sending the right message, to revisit the audit ratings process, including making it tougher to get a good rating:
- If similar issues seem to be reoccurring, to strengthen the audit methodology for root cause analysis and the thematic reporting of causes: E.g. “Weaknesses were due to: Poor risk identification, caused by insufficient training of staff concerned (which was not tracked and followed up), as well as insufficient supervision, which in turn was due to confusion whose role it was to supervise this area.” Such an approach reveals actions that need to be taken at a systemic level: change the system, start to change the behaviour and in turn the culture.
- For selected key risk areas, consider what information is available that suggests behavioural issues may be “slipping through the fingers of management.” Based on this, develop assignment work programmes that factor in potential management blind-spots. This may include focusing on how roles and accountabilities are (or are not) made clear; how priorities are set and adjusted when resources are limited and associated with this the clarity of risk appetite; the training and supervision/coaching given to key staff, and/or how communication flows (or does not flow) upwards and/or between departments.
At all times, when working with the soft stuff, don’t forget the importance of focusing on something that matters and don’t forget the criteria and consequences (otherwise you’ll get a “so what?” reaction). Most of all, recognise that to be effective in this arena you need to take one step at a time and to recognise that whilst this is the “final frontier” that audit needs to work in, it is also an area with political sensitivities that must be thought about in advance, otherwise you could find yourself “locked out” of this critically important, and extremely interesting, area for Internal Audit to work in.
James runs training (face to face and webinars) for 12 of the IIA organisations in Europe, as well as on an in-house basis globally. He is the author of “Lean auditing, which looks at how lean and agile ways of working can drive progressive ways of auditing, whilst maintaining and even improving added value and quality. See www.RiskAI.co.uk for more articles and information.